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Preface 



This volume represents the proceedings of the Fourth International Conference 
on Typed Lambda Calculi and Applications, TLCA’99, held in L’Aquila, on 7-9 
April 1999. 

It contains 25 contributions. Fifty were submitted, their overall quality was 
high, and selection was difficult. The Programme Committee is very grateful 
to everyone who submitted a paper. It also contains two papers introducing the 
’’demos” of ”tlca software”, i.e. industrial products making use of typed lambda- 
calculi. 

The tutorials on 

— Denotational semantics by Thomas Ehrhard and John Longley, and 

— Intersection types by Mario Coppo and Mariangiola Dezani are not included 

in this volume. 

The editor wishes to thank the members of the Programme Committee and 
the Organizing Committee listed, for their hard work and support, with a spe- 
cial mention for Benedetto Intrigila. He also thanks Corrado Bohm for kindly 
accepting the task of delivering a banquet speech. 

The editor also expresses his gratitude to all the referees listed on the next 
page, as well as to those who wish not to be listed for their essential assistance 
and time generously given. 



Marseille, January 1999 
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The Coordination Language Facility and 
Applications 



Jean-Marc Andreoli 

Xerox Research Centre Europe, 38240 Grenoble, France, 
Jean-Marc . AndreoliSxrce . xerox . com, 
http : // WWW .xrce.xerox.com 



Abstract. This short paper gives a quick overview of CLF, a distributed 
object coordination middleware, and two applications of that platform 
to workflow. The driving concepts behind CLF derive from a reflection 
on proof search in Linear Logic, and in particular, the systematic ex- 
ploitation of its resource conscious nature. 



1 CLF: A Coordination Middleware 

CLF is born from a reflection on the application of Linear Logic to distribnted 
object coordination. It exploits the resonrce-conscions natnre of Linear Logic in 
the framework of the concurrent logic programming paradigm, where computa- 
tions are identified with proof-search [And92]. Turning a theoretical model of 
resource manipulation into a concrete distributed object coordination middle- 
ware required two main steps: 

— First, the notions of “resources” and “objects” had to be integrated. This 
was achieved through a modification of the traditional object model of com- 
putation, making plain the role of objects as resource managers. 

— Second, the concurrent logic programming paradigm of proof search had 
to be adapted to this new object model. This was realized by a scripting 
language based on Linear Logic formulae to express coordination. 

1.1 The CLF Object Model 

The CLF object model enriches the traditional one by viewing objects as resource 
managers, thus separating, inside the object state, the resources themselves from 
their management state. Primitives are introduced to (i) inquire and negotiate 
objects capabilities in terms of resource availability, (ii) perform basic transac- 
tion operations over the resources of several objects (two-phase commit) and (iii) 
request resource insertion. This enriched interaction model (Figure 1) is charac- 
terized by a set of 8 interaction verbs (similar to KQML performatives) together 
with a protocol describing correct sequences of invocations of these verbs, and 
their intended meaning in terms of resource manipulations. Figure 2 gives an 
overview of the verbs and the protocol. The interface of a CLF object distin- 
guishes between “CLF services” , accessed through the CLF interaction protocol, 
and regular methods, accessed through the traditional request /answer protocol. 
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1.2 The CLF Coordination Scripting Facility 

The CLF coordination scripting facility takes full advantage of the object model. 
It allows high-level declarative specifications of coordinated invocations of CLF 
object services. A coordination is viewed here as a complex block of inter-related 
manipulations (removal, insertion, etc.) of the resources held by a set of objects 
(called the participants of the coordination). CLF scripts describe, using Linear 
Logic formulae, the expected global behavior of such blocks in terms of resulting 
resource transformations, but abstracts away the detailed sequencing of invoca- 
tions of the CLF interaction verbs required to achieve such a behavior. It is this 
abstraction feature which considerably simplifies the design and verification of 
coordination scripts and makes them highly platform independent and hence, 
portable. The abstract operational semantics of CLF scripts is given in terms of 
proof search. Currently, the fragment of Linear Logic used by the CLF script- 
ing language is a small subset of LinLog [And92] , which is itself a “complete” 
fragment of Linear Logic in terms of proof search (complete in the sense that 
proof search in full Linear Logic can be reduced without loss to proof search in 
LinLog). Extensions of CLF to larger fragments of LinLog are possible, and may 
lead to further refinements of the object model. 

2 The Demonstration: Applications of the CLF 

There are two ways to demonstrate a middleware tool such as CLF: (i) focus 
on the middleware platform itself, but this is rather aimed at a somewhat spe- 
cialized audience (developers of distributed object-based applications); (m) show 
applications (or rather prototype applications) which have been developed using 
the platform. 

We propose to demonstrate here two prototype applications developed us- 
ing CLF. The first one, called XFolder, is a lightweight workflow management 
system; the second one called XPect [AP98], is a generic electronic commerce 
broker. 



2.1 XFolder: a Lightweight Workflow Management System 

XFolder uses the metaphor of the well-known circulation folder envelope to orga- 
nize lightweight workflow within an organization or across several independent 
organizations (with possible access restrictions between them). A circulation 
folder consists of a set of documents, enclosed in an envelope, and a route, usu- 
ally specified on the envelope, and describing the expected path of the envelope 
through different services (or people) of the organization(s) and the tasks to be 
performed at each stop. Whenever a user gets hold of the envelope, s/he can 
perform the current task assigned to it (e.g. read, create, modify, annotate a 
document, sign a sheet, insert a memo etc.), and, possibly, modify the route 
(e.g. extend it or change some tasks), then forward it. 

XFolder implements an electronic version of the traditional circulation folder, 
with additional features allowed by this “virtualization” . The architecture of the 
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system is described in Figure 3. The documents contained in the envelope are 
held in electronic form in heterogeneous document repositories implemented as 
CLF objects (the resources of which are the documents). The status of the indi- 
vidual folders (route, current active task in the route, assignment of tasks etc.) 
are held in a specific CLF object, the XFolder manager (the resources of which 
are the virtual envelopes) . CLF scripts handle the notification of available tasks 
to each user, implement the task status transformation as tasks are performed, 
and take care of migrating documents across different repositories when needed 
(i.e. when a firewall or some access restriction prevents a document reference 
from being directly shared between users). 

2.2 XPect: an Electronic Commerce Broker 

XPect realises the functionality of a broker for electronic commerce. It handles 
the coordination of the different partners involved in an electronic commerce 
transaction: customers, bankers, providers, delivery providers etc. Basically, the 
customer submits a query to the broker, describing items of interest. The broker 
browses through the catalogs of the different providers to extract offers matching 
the query constraints (description of good, required options, price limits etc.). 
The user may then select a set of different offers for purchase. This is differ- 
ent from the “shopping basket” of traditional electronic commerce systems in 
the sense that the selected items are considered as a whole: either all of them 
are available at the condition of the offers, and the commercial transaction is 
continued, or the whole transaction is cancelled (but the customer can always 
resume the search phase) . This atomic behavior is ensured even across indepen- 
dent providers (e.g. with queries of the form “24x36mm camera from provider 
A and a matching 50mm lens from provider B” , or “10 hardcopies of a book X 
from bookshop A and a 24- hour delivery of the whole set from provider B”). 

XPect is implemented as a CLF application. The architecture of the system 
is described in Figure 4. The CLF objects involved are the providers, offering 
virtual or hard goods classified in catalogs, the financial services (credit cards, 
electronic cash etc.) and the customer management services. CLF scripts are 
used to implement the different phases of the electronic commerce transaction. 

References 

And92. J-M. Andreoli: Logic programming with focusing proofs in linear logic. Journal 
of Logic and Computation, 2(3), 1992. 1, 2 
AP98. J-M. Andreoli and F. Pacull: Distributed print on demand systems in the xpect 
framework. Journal of Distributed and Parallel Databases, 1998. To appear. 2 
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Fig. 3. Architecture of XFolder 
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AnnoDomini in Practice: A Type-Theoretic 
Approach to the Year 2000 Problem 
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Dept, of Computer Science, Univ. of Copenhagen (DIKU) and Hafnium ApS 
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Abstract. AnnoDomini is a commercially available source-to-source 
conversion tool for finding and fixing Year 2000 problems in COBOL pro- 
grams. AnnoDomini uses type-based specification, analysis, and trans- 
formation to achieve its main design goals: flexibility, completeness, cor- 
rectness, and a high degree of safe automation. 



1 Introduction 

The Year 2000 (Y2K) problem refers to the inability of software and hardware 
systems to process dates in the 21st century correctly.^ The problem arises from 
representing calendars years by their last two digits and thus restricting the range 
of representable years to 1900-1999. Starting some 40 years ago, this convention 
was established as one of numerous techniques for conserving precious memory 
space. 

The most widespread Year-2000-unsafe date representation consists of six 
characters. It has two characters each for the day of the month, the month of 
the year, and the calendar year, often in the order year-month-day (YYMMDD). 
The string “981106”, for example, represents November 6th, 1998. The problem, 
of course, is that no provision is made for representing years in the 21st century: 
“00” represents 1900, not 2000. 

Since the year 2000, mistakenly represented as “00” , comes before e.g. “99” , 
comparison of two-digit years may produce unexpected results in the 21st cen- 
tury, and this may incur problems in operating with e.g. expiry dates. Similarly, 
arithmetical operations involving two-digit years may produce unexpected re- 
sults, affecting e.g. interest calculations. 

The Y2K problem affects countless systems at all levels: embedded systems, 
operating systems, applications and data bases that process or contain dates. 
Both its size and consequences are staggering. Cost estimates vary widely, but 
according to Capers Jones, “the costs of fixing the year 2000 problem appear to 
constitute the most expensive single problem in human history” [2, p. xxiii]. 

Updating application programs to become Year 2000 compliant usually in- 
volves a combination of expansion and masking. Expansion refers to expanding 

^ We adopt the convention of viewing the year 2000 as belonging to the 21st century. 
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unsafe two-digit years to four-digit years in applications, data bases, files, etc. 
Expansion can be expensive, however: it requires that not only application pro- 
grams be changed, but also data bases, files and all other programs communi- 
cating dates. Masking denotes a variety of methods for extending two-byte year 
representations into the 21st century; e.g. windowing, compression and encapsu- 
lation. These techniques aim at extending the lifetime of existing data in data 
bases and files as well as screen and print maps into the 21st century. In win- 
dowing, for example, a pivot year determines whether a two-digit year belongs 
to the 20th or the 21st century. For example, with pivot 70, 79 represents 1979, 
and 41 represents 2041. 

AnnoDomini^ is a tool (and accompanying method) for finding and fixing 
Year 2000 problems in COBOL programs. It accommodates expansion as well as 
masking by source-to-source transformation of COBOL programs. The converted 
programs do not require special compiler support, but compile and execute in 
their existing operating environment. 

AnnoDomini consists of three components: an analysis and conversion engine 
(60,000 lines of Standard ML), a graphical user interface (10,000 lines of Visual 
Basic), and IBM’s Live Parsing Editor (a syntax-sensitive program editor). The 
three components are tightly integrated, as will be explained in what follows. 
AnnoDomini runs on Windows NT 4.0 and Windows 9X, and is commercially 
available from Computer Generated Solutions, Inc. (an IBM business partner) — 
see http://www.cgsinc.com and http://www.hafnium.com. 

AnnoDomini uses type-based specification, analysis, and transformation to 
achieve its main design goals: flexibility, completeness, correctness, and a high 
degree of safe automation. The type-theoretic foundations of AnnoDomini have 
been described elsewhere [1]. In the present brief account we aim to demonstrate 
how AnnoDomini actually works in practice — emphasizing the role of types — 
although we shall ignore many practical issues, e.g., key fields with years, align- 
ment of key fields, aliasing, editing characters, padding/truncation, justification, 
and usage. 

2 The AnnoDomini Approach 

In COBOL programs, dates are represented using the data types and opera- 
tions of the source language: strings of characters and digits, and flat records. 
Their intensional interpretation as representations of dates is not explicit. The 
AnnoDomini approach is based on reverse engineering the programmer-intended 
date interpretations as abstraet types. This is done in three conceptual phases: 
seeding, type checking, and conversion. 

2.1 An Example COBOL Program Fragment 

To illustrate the AnnoDomini approach, we consider the following fragment of 
a COBOL program. 

^ AnnoDomini is a registered trademark of Hafnium ApS. 
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77 CUR-DATE PIC 999999. 

77 LRD PIC 999999. 

77 COLUMN PIC 99. 

IF CUR-DATE > LRD PERFORM ISSUE-LAST-REMINDER. 

IF COLUMN < 80 PERFORM DISPLAY-STATUS. 

The first three lines are declarations of three variables: CUR-DATE (containing six- 
digit data, signified by the six occurrences of 9), LRD (also containing six-digit 
data), and COLUMN (containing two-digit data). 

The first statement invokes procedure ISSUE-LAST-REMINDER if CUR-DATE 
(“current date”) is greater than LRD (“last reminder date”). 

The current date will most likely have form 000101 on January 1st, year 
2000, so with a last reminder date of, say, December 31st, year 1999 (991231), 
no last reminder will ever be issued as a result of running the application in the 
year 2000 or later. This is not the desired behavior of the program. 

The last statement invokes procedure DISPLAY-STATUS, provided the value 
contained in COLUMN is less than 80. This comparison has nothing to do with 
years and will continue to work in the 21st century. 



2.2 Seeding 

In the first phase of the AnnoDomini approach the user seeds the program with 
year (and possibly non-year) information. This is done by annotating variable 
declarations with Type System 2000 (TS2K) types that specify where years occur 
in them, if at all. 

TS2K types are concatenations of the following different base types: 

1. YYYY: four-digit year; 

2. WW: two-digit, windowed year relative to a fixed pivot, by default 00;^ 

3. N: single non-year character; 

4. - ... - (n occurrences of -): n characters of unknown type. 

For example, from the declarations alone in our example program we might 
guess that CUR-DATE is a six-digit date with a leading year, and that COLUMN is 
a column position at the terminal screen and hence unrelated to years. What 
LRD denotes, is not clear from the declaration alone. Thus, a seeded version of 
the example program might read: 

*TS2K WWNNNN 
77 CUR-DATE PIC 999999. 

*TS2K 

77 LRD PIC 999999. 

*TS2K NN 

77 COLUMN PIC 99. 

IF CUR-DATE > LRD PERFORM ISSUE-LAST-REMINDER. 

IF COLUMN < 80 PERFORM DISPLAY-STATUS. 

With pivot 00, two-digit windowed years are the two-digit years of the 20th century. 
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Since COBOL comment lines start with * in colnmn 7, the above TS2K type 
declarations are treated as comments by the COBOL compiler. However, to 
AnnoDomini they provide type information. 

Seeding can be done automatically or manually. Automatic seeding works 
by scanning variable names in a program, including all the libraries it imports, 
and looking for matches according to both lexical and data description criteria. 
Informally, for each program variable the user asks: “Could this variable contain 
a calendar year, based on its name and its data description?” For example, a 
variable named DEP-DAT and occupying 6 bytes, might represent a six-digit date 
(“departure date”). Then again, it might not (“deposition data”). Automatic 
seeding is specified by a combination of lexical inclusion and exclusion criteria 
and a list of target date types. These specifications can be configured interac- 
tively, and they can be stored in separate files for future use. Automatic seeding 
is known to be quick, but also error-prone since it depends on nomenclature for 
variable names. AnnoDomini presents a list of all matches along with annotation 
suggestions, but does not automatically accept the results as bona-fide year an- 
notations. Instead, it expects the user to explicitly accept or reject them, possibly 
after inspecting the variable declarations through a point-and-click interface. 

Manual seeding works by systematically checking the interfaces of a program; 
e.g., data base, file, terminal and print map descriptions. In COBOL, these are 
typically localized in shared libraries that are copied into programs by COPY 
statements, COBOL’s macro expansion and source library access mechanism. 
Manual seeding is less error-prone since it reduces guesswork. Since data base, 
file, and map descriptions need to be annotated only once, but are typically used 
by multiple programs, manual seeding need not be done for each program and 
is thus often a quite efficient and safe seeding method. 

2.3 Type checking 

In the second phase AnnoDomini propagates the seeding information to other 
data by type inferenee. In particular, types are propagated through comparisons 
and assignments. For instance, since our example program contains the state- 
ment 



IF CUR-DATE > LRD PERFORM ISSUE-LAST-REMINDER. 

the type of CUR-DATE is propagated to LRD, and AnnoDomini suggests that LRD 
be given the same type. As with seeding suggestions, the user accepts and rejects 
such suggestions through a point-and-click interface. 

During propagation AnnoDomini also eheeks that the seeded and propagated 
types are consistent with each other. For example, based on its cryptic name, we 
might mistakenly have assumed that LRD is entirely composed of non- year data 
and have assigned the type NNNNNN to it, in which case the types of CUR-DATE 
and LRD would be inconsistent. In this case AnnoDomini signals a type error. 

In general, type errors may stem from the following sources: 

I. Seeding error. Seeding might be wrong; for instance, we might have assumed 
the incorrect type NNNNNN for LRD. 
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2. Not a Year 2000 problem. The type system does not allow both years and 
and non- years to occupy the same storage at different times, such as when 
printing both years and non-years through the same print buffer, as in the 
following program fragment.^ 

*TS2K WW 

77 CUR-YEAR PIC 99. 

+TS2K NN 

01 NON-YEAR PIC 99. 

*TS2K NN 

77 PRINT-BUF PIC 99. 

MOVE CUR-YEAR TO PRINT-BUF. 

MOVE NON-YEAR TO PRINT-BUF. 

3. Year 2000 problem. The error might signal a Year 2000 problem or other 
questionable computations on dates, e.g. a hardwired conversion between 
four-digit years to two-digit years, as in the following program fragment in 
which the two last digits of a four-digit year are moved into a two-digit vari- 
able utilizing COBOL’s alignment and truncation rules. A similar coercion 
in the other direction is adding 1900 to a two-digit year. Such hardwired 
coercions do not generally work in the 21st century. 

+TS2K WW 

77 YEAR2 PIC 99. 

*TS2K YYYY 

77 YEAR4 PIC 9999. 

MOVE YEAR4 TO YEAR2 . 

AnnoDomini does not attempt to guess what the cause of a type error is 
and how to eliminate it. It suggests a number of plausible corrective actions, 
however. These include changing the declarations of the variables involved in 
the type incorrect statement — the relevant option in case of a seeding error. 

Two other forms of suggestions are to insert ASSUME and COERCE annotations. 
For instance, for the print buffer example, AnnoDomini suggests annotating the 
MOVE statements with an ASSUME annotation; e.g., 

*TS2K WW 

77 CUR- YEAR PIC 99. 

*TS2K NN 

77 NON-YEAR PIC 99. 

*TS2K NN 

77 PRINT-BUF PIC 99. 

*TS2K ASSUME CUR-YEAR IS NN 

MOVE CUR- YEAR TO PRINT-BUF. 

MOVE NON-YEAR TO PRINT-BUF. 



The MOVE statement is COBOL’s assignment statement. 
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The ASSUME annotation tells the type checker that CUR-YEAR should be treated 
as having type NN in this statement only. (This is dangerous, of course, and there- 
fore requires an explicit annotation in the source code.) 

The COERCE annotation is used to convert between different year formats. 
For instance, AnnoDomini suggest annotating the type incorrect statement MOVE 
YEAR4 TO YEAR2 with a COERCE statement, e.g., 

*TS2K COERCE YEAR4 TO WW BY D4T02N0 
MOVE YEAR4 TO YEAR2 . 

The coercion D4T02N0 converts a four-digit year to a value with the same year 
in windowed representation. The COERCE annotation is similar to the ASSUME 
annotation: the former instructs in the above example AnnoDomini to regard 
YEAR4 as having type WW. The difference is that, in the conversion phase COERCE 
annotations are replaced by code performing the coercions, whereas ASSUME an- 
notations have no run-time significance. 

AnnoDomini also provides point-and-click access to the statements causing 
type errors and to the declarations of the variables occurring in the type incorrect 
statement for manual browsing and editing of the source code. 

AnnoDomini issues warnings for all relational and arithmetic operations on 
two-digit years as well as for all relational and arithmetic operations for which 
there is insufficient type information to determine whether their operands con- 
tain years or not. This is a case where seeding is incomplete, with potentially 
dangerous consequences. The user is expected to check the warnings to deter- 
mine whether they cover over any potential Year 2000 problems. They can also 
be eliminated by strengthening the seeding to resolve the operand types. 

Seeding and type checking are repeated, possibly interchangeably, until all 
type errors are eliminated and the program is type correct. 



2.4 Conversion 

The third and final phase consists of virtual conversion and actual conversion. 
During virtual conversion the user specifies Year 2000-safe types for each vari- 
able. For example 

*TS2K WWNNNN->YYYYNNNN 
77 CUR-DATE PIC 999999. 

*TS2K WWNNNN->YYYYNNNN 
77 LRD PIC 999999. 

*TS2K NN 

77 COLUMN PIC 99. 

IF CUR-DATE > LRD PERFORM ISSUE-LAST-REMINDER. 

IF COLUMN < 80 PERFORM DISPLAY-STATUS. 

is a virtual conversion which specifies that CUR-DATE and LRD should be expanded 
from a six-digit to an eight-digit date representation. The actual conversion is 
then fully automatic, yielding the following program fragment: 
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*TS2K YYYYNNNN 
77 CUR-DATE PIC 99999999. 

*TS2K YYYYNNNN 
77 DUE-DATE PIC 99999999. 

*TS2K NN 

77 COLUMN PIC 99. 

IF CUR-DATE > DUE-DATE PERFORM ISSUE-LAST-REMINDER. 

IF COLUMN < 80 PERFORM DISPLAY-STATUS. 

Alternatively, a virtual conversion can be specified by changing the default 
pivot for windowing from 00 to, say, 70 (this does not require any change to the 
program). Actual conversion then yields, fully automatically; 

*TS2K WWNNNN 
77 CUR-DATE PIC 999999. 

*TS2K WWNNNN 
77 DUE-DATE PIC 999999. 

*TS2K NN 

77 COLUMN PIC 99. 

MOVE CUR-DATE TO ARG-1 OF ARGUMENT OF LT70N4-PARAMS . 

MOVE DUE-DATE TO ARG-2 OF ARGUMENT OF LT70N4-PARAMS . 

CALL "LT70N4" USING LT70N4-PARAMS . 

IF RESULT OF LT70N4-PARAMS = '1' 

PERFORM ISSUE-LAST-REMINDER. 

IF COLUMN < 80 PERFORM DISPLAY-STATUS. 

The first four program statements call the AnnoDomini library routine LT70N4 
which compares dates with leading two-digit windowed years relative to pivot 
70 (COBOL’s built-in operator > does not work since it does not take the pivot 
into account). The year- unrelated comparison COLUMN < 80 is left as is. 

Each variable can have its own year representation. AnnoDomini has built-in 
support for four-digit years and windowed two-digit years. Apart from these, it 
allows abstract, user-defined two-digit years. These are denoted AA(t), where t 
is the name of a user-defined library, which must contain the required arithmetic 
and relational operations. These can be type-checked on a par with the built-in 
year types. 

Actual conversion is fully automatic: at the push of a button, data declara- 
tions are expanded as desired, calls to the specified coercions are inserted, and 
arithmetic and relational operations involving two-digit years are replaced by 
calls to AnnoDomini’s Year 2000-safe library routines. 



3 Conclusion and Related Work 

The decision to base AnnoDomini on types has had a number of advantages. 

First, types are good for explicating the intention of data. For instance, types 
are good for distinguishing between years and non-years, e.g. between 80 as 



AnnoDomini in Practice 



13 



a two-digit year and 80 as a column position. Similarly, types are good for 
distinguishing between different types of years, e.g. 80 as the two-digit windowed 
year 1980 and 80 as the year 80 A.D. 

Second, types are good for discovering Year 2000 problems; for instance, 
the comparison CUR-YEAR < 80 is problematic if CUR-YEAR is a two-digit year, 
whereas COLUMN < 80 is unproblematic if COLUMN denotes non-year information. 

Third, types are good for guiding transformations. In particular, 
year-unrelated code can be left as is. 

Fourth, many design choices are made simply and elegantly by casting our 
analysis as a type inference. For instance, how to report inconsistent usage of 
years in the program? This obviously becomes a type error. 

Finally, we have been able to benefit greatly from the design and implementa- 
tion of ML, and its underlying theory, in developing AnnoDomini. For instance, 
some of the main results concerning type inference in [1] were adopted from 
Hindley-Milner type inference, with some modifications. 

There is a vast literature on type theory and type-based program analysis. 
There are also numerous Year 2000 tools. Very few of those are semantics-based, 
however, and of those only AnnoDomini appears to be type-based with integrated 
automatic analysis and conversion. 

The value of working with type notions in software understanding and reengi- 
neering has been observed previously by O’Callahan and Jackson [3]. 
Van Deursen and Moonen [5] describe type inference rules for COBOL for clas- 
sifying data into sets of data representations. Subtyping is interpreted as sub- 
sumption of value sets. Their system specifies type equivalences, and it allows 
subtyping steps at assignments. Intuitively, this specifies a flow-insensitive data 
flow analysis, refined by data flow sensitivity at assignments. 

Independently of us, Ramalingam, Field and Tip have developed basically the 
same unification algorithm as used by AnnoDomini’s type inference algorithm [4] . 
They also demonstrate how their algorithm is applicable to Year 2000 program 
analysis. 
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1 Introduction 

The question we want to investigate was expressed by Girard in [3] : 

“Assume that I am given a program P [a proof-net U], and that I cut 
it in two parts arbitrarily. I create two ... modules, linked together by 
their border. Can I express that my two modules are complementary 
[orthogonal], in other terms that I can branch them by identification over 
their common border? One would like to define the type of the modules 
as their branching instructions; these branching instructions should be 
such that they authorized the restoring of the original P [the proof-net 
iJ].” 



Girard in [3] gave the solution for the multiplicative fragment of linear logic 
(MLL); another deep investigation of this question for MLL has been given by 
Danos and Regnier in [2]. Here we present the first steps towards a solution of 
this question for the multiplicative fragment of non-commutative logic (MNL), 
which is a refinement of MLL and an extension of both MLL and the cyclic 
multiplicative linear logic. MNL was introduced in [1] . 

The lines of Girard’s investigations [3] are the basis for our investigations, 
since they can be improved and adapted also for MNL. 

In the following: 

1. we define what a module is in MNL, i.e. what we obtain from a proof-net in 
MNL by splitting it arbitrarily, and we define what is a type of a module in 
MNL; 

2. we define when two modules in MNL are orthogonal, and we prove the the- 
orem: if two modules iJi and II 2 in MNL are orthogonal, then Hi o II 2 (i.e 
what we get by gluing their common border) is a proof-net in MNL. 



In order to understand the paper, and the new questions posed to MNL with 
respect to MLL, we give a short summary about proof nets in MNL (called MNL 
proof- nets). 

The formulas of MNL are built from atoms [p, q, . . .) and their orthogonal 
{p^, q^, . . .) by using the following binary connectives: 
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— multiplicative connectives: i8), p 

— non-commutative connectives: © (next), V (sequential). 

A MNL proof-structure is defined as usual by taking the following links: 

— axiom- link (no premises; conclusions: and A), 

— cut-link (no conclusions; premises: A and A-^), 

— for each connective <(> , the <(>-link (conclusion: A(}B; first premise: A; second 
premise: B). 

A set of switches is defined for each link: 

— for the axiom-link, one switch [A^ A I, A A^ ),), 

— for the cut-link, one switch {A A^ ^ t)> 

— for the ©-link, the usual two switches ©-L and ©-R, 

— for the p-link the usual two-switches p-L and p-R, 

— for the 0a unique switch: ©-R {{AqB) Af, A B B 4 .^ (AqB) ),), 

— for the V-link three switches: V-L ((AVR) B A 

(AVR) ;), V-R ((AVR) t-t -B t, ^ ^ t, -B (AVR) ;), V-3 

((AVR) A t, R (AVR) ;). 

A switching for a MNL proof-structure R is a function s such that, for every 
link I in R, s{l) is a switch for 1. 

Given a switching s for a MNL proof-structure R, we can construct an ori- 
ented graph s(R). The set of the vertices of s(R) is: 

{A® I A occurrence of formula in R and x G {t, ).}} 

In s(R) there is the oriented edge A^ R^ if, for some link I, A^ B^ is 
given by s{l), and, moreover, there is an edge between C 4 , and C t for every 
conclusion C. 

A trip in s(R) is a maximal path in s(R). The trips in s(R) may be: 

— either cyclic, i.e. of the from A^ . . . A^, with x G {t, 4^}; a long trip is a cyclic 
trip containing R 4' and R 4- for each occurrence of formula R in R; 

— or non cyclic; in this case the trip has the form R 4~ ■ ■ ■ A 4-, where R is the 
second premise of a V-link I such that s(l)V-3 and A is the first premise of 
a V-link I' such that s(/')V-3. 

R is a MNL proof-net iff: R is a MNL proof-structure such that, for any switching 
s, there is exactly one cyclic trip T in s(R) and T: 

— is bilateral, i.e. T does not contain the pattern R^ . . .C^ . . . B^ . . .C^, where 
x,ye {T4} and f i, Jt, 

— contains all the conclusions of R. 
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So, when 7J is a MNL proof-net and s is a switching for II, non-cyclic trips do 
not contain conclusions of II . 

Due to the possible presence of V-links, with switch V-3, the unique cycle 
in s{n), where 7J is a MNL proof-net, is not necessarily a long trip. Due to the 
unique switch ©-R for ©-links, we can not conclude that every trip is bilateral, 
from the existence of a unique cycle T in s(iJ) for every switching s. 

The existence of non-cyclic trips in s(7T), and the requirement of the bilater- 
ality of the unique cycle in s(iJ) for every switching s, are the main difficulties 
when we try to adapt the lines of Girard’s investigations in [3] to MNL. The 
existence of non-cyclic trips leads to consider partial permutations (instead of 
total permutations), induced by the switchings; the need that a cyclic trip must 
contain all the conclusions leads to consider sets js induced by each switching 
s; the requirement of the bilaterality of cyclic trips leads to introduce a more 
refined concept of orthogonality between permutations and to use relations Sg 
and Xs induced by each switching s. 

2 Bordered MNL proof-structures, switchings and trips 

Definition 1. {II; F) is a bordered MNL proof-structure iff: 

— n is a graph of occurrences of formulas of MNL, linked by occurrences of 
links of MNL; \ II \ is the set of all the occurrences of formulas of II , and 
L]j is the set of all occurrences of links in II , 

— for every A £\ U \ there is at most a link I G Ljj, such that A is a premise 
ofl; Con(iJ){A g| II \ \\/l G Ln-Aisnotpremiseofl}; 

— for every A g\ II \ there is at most a link I G Ljj, such that A is a conclusion 
of 1; Hyp(iJ){A s| II \ I'll G Ln-Aisnotconclusionofl}; 

— r (the border j is a finite sequence of occurrences of formulas of II such that: 

• for every A G Hyp(17), A is in F , 

• if A is in F, then A G Hyp(il) U Con(il); 

PCon((iI; F)){A G Con(il) \A^F}. 

The elements of Hyp(iJ) are called the hypothesis of II. The elements of 
Con(iJ) are called the conclusions of II and those of PCon(iJ) are called the 
proper conclusions of (77; F).li F is empty, then (77; 0) is exactly a MNL proof- 
structure as defined in [1]. 

Definition 2. Two bordered MNL proof- structures {IIi;Fi) and (772; 72) are 
compatible iff: 

— AA, 

— for every A in Fi, A G Con(77i) iff A G Hyp(772) , and A G Con(772) iff 
A G Hyp(77i). 

Definitions. If (77i; . . . A„) and (772; . . . A„) are compatible bordered 

MNL proof- structures, then 77i o II 2 is the graph obtained from 77i and II 2 by 
i dentifying of the occurrences Ai in 77i with the occurrences Ai in II 2 , for all 
7 e {1 . . .n}. 
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Remark that, if II is commutative (i.e. without © and V), then the above 
definitions are those given by Girard in [3] . 

If {IIi;r) and {II2; F) are compatible bordered MNL proof-structures, then 
III o II2 is an MNL proof-structure. 

Definition 4 . s is a switching for a bordered MNL proof- structure {II', F) iff s 
is a function such that, for every I S Ln, s{l) is a switch for L 

If s is a switching for a bordered MNL proof- structure (IT; F), then s{{II', F)) 
is the oriented graph sueh that: 

— I s{{n-,F)) I {A^ I A g| 7J I textandx G {t, i}}- 

— In s{{II;F)) there is the oriented edge ^ (where x,y G tf- 

• either, for some link I G Ln, A^ — > is given by s{l), 

• or AB is a proper conclusion of (IT; F), and both x f, and y f. 

Remark that in s{{II; F)) there is no oriented edge 

— from A 4 , , when A G Con(iJ) and A is in F, or when A is the first premise 
of a V-link I G L 77 such that s(Z)V-3, 

— from A t, when A G Hyp(iJ), 

— to A 4 ,, when A G Hyp(iJ), 

— to A 4' , when A G Con(iJ) and A is in F, or when A is the second premise 
of a V-link I G Ln such that s(/)V-3. 



We shall use the following notations for A G F: A™^^^ is: 

A t ifA G Con(iJ) 

A 4 , ifA G Hyp(iJ) 

and is: 

A 4 . ifA G Con(iJ) 

A t ifA G Hyp(iJ) 

^m(77) -g position of A (A f or A f) such that we can move in II 
through A. 

^out(77) -g .j.]^g position of A (A 4- or A d) such that we can exit from FI 
through A. 



Definition 5. Let s be a switching for a bordered MNL proof- structure (IT; F). 
A trip in s{{II',F)) is a maximal path in s{{II',F)). 



Let s be a switching for a bordered MNL proof-structure {II ; F) . Each trip 
in s((7T; F)) belongs to exactly one of these classes: 

— cyclic trips or cycles, i.e. trips of the form A^ . . . A^, where A g| IT | and 
X G {T4}, 
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— r trips, i.e. the trips of the form where A, B are formulas 

in r , 

— critical trips, i.e. trips of the form (7 t ■ ■ ■ or A^ ... B I, where C is the 
second premise of a V-link I € Ln, such that s{l)V-3 and B is the first 
premise of a V-link I' G Ln, such that s(/')V-3. 



3 The type of a bordered MNL proof-structure 

Definition 6. cr G perm({l, . . . , n\) iffcr is a (total or partial) permutation of 
{1, . . . , n}, i.e. is a (total or partial) injection from {1 ..., n} to {1, . . . , n}. 



Definition 7. Let {II; L) be a bordered MNL proof- structure, where L is 
A\ . . . An . Let s be a switching for {LI ; L) . 



— ps is the (partial or total) permutation of {1, . . . ,n}, defined by: 

for every i G {1, . . . , n}, Ps{i)j iff there is a L -trip in s{{LI; L)) of the form 
^in(n) ^out(77) 

Remark that, if i G {1 . . .n} and there is a critical trip A™^^^ . . .B f in 
s{{II;r)), then Ps{i) is not defined. 



~ /^s C {1 . . .n}^ is defined by: 

for every i,j,k,m G n}, (3s{i,j,k,m) iff the L-trips 

An{n) .out(TT) 4in(77) .out(77) 4in(77) .out(77) 4in(7T) .out(77) 

" Ps(i) ’ 3 " PsU) ’ fc " Ps{k) ’ ■■■^p,{m) 

exist in s{{LI;r)) and by linking these trips as follows 



i ' ' Ps{i) 



3 '' PsU) 



A 



in(77) 



4°ut(77) 

■Ps{k) 



Am{n) 



^out(77) 

Ps(m) 



we get a bilateral trip (i.e. there is not a configuration B^ . . . . . . B^ . . . , 

where x,y € {t, -H; t 4- o,nd i tj; 



— 7 s is the subset of {1, .. . ,n} defined by: 

i (z 'iff the trip A™^^^ . . . exists in s{{LI; L)) and in this trip there 

is at least one proper conclusion of {LI; L), 

— Ss Q n}^ is defined by: 

for every i,j G {1, . . .,n}, Ss{i,j) iffps{i) and ps{j) are defined and there is 
B in LI such that B^ is in the L -trip from and B^ is in the L -trip 
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~ Xs ^ {1; • • • ! is defined by: 

for every i,j,k € {1, . . .,n},Xs{i,j,k) iff Ps{i),Ps{j) and Ps{k) are defined 
and by linking these trips as follows 

.in( 7 T) .out(TT) ^ 4111(77) .out( 77 ) ^ 4111(77) .out( 77 ) 

^^7 ■■■psU) P.(fc) 

we get a bilateral trip (i.e. there is not a configuration , 

where x,y € {t, J.}; t J-; and i tj- 

Remark that /3s, Sg and Xs^-re related as showed in the following lemma. 

Lemma 1. Let s be a switching for {U; Ai, . . . , An) ■ Let S be a cycle made of 
elements of {1 .. . , n}. Let us consider the following statements: 

1. For every i, j,k,m ^ n}, if i . . . j . . .k . . .m occurs in this order in S, 

then f3s{i,j, k, m), 

2. For every i,j, k,m £ {1, . . . , n}, 

— ifi...j...k occurs in this order in S , then Xs{i,j,k), and 

— if i . . . j . . . k . . .m occurs in this order in S, then either 5g {i, k) does not 
hold, or Ss {j, m) does not hold. 



Then, the statement in point 2 implies the one in point 1. 

Proof. Let the statement 2 hold. Let i be the R-trip from Ai, j from Aj, k from 
Ak, and m from Am- Let i . . . j . . .k . . .m occnr in this order in S. Then, by the 
statement 2: Xs(b J) k), Xsii, k, m), Xs(j, k, m) hold so that the possible pattern 
B^ ...Cy ...B^ ...Cy in 



may occnr only when B^ is in i, is in j, B^ is in k, is in m, i.e. when 
5s{i, k) and 5a{j, m) hold; but this is excluded by the statement 2. 

Definition 8. Let (Ti, (T2 S perm({l . . . n}). Let 71, 72 C {1 . . . n}. Let 61,62 C 
{1 . . .n}2. Let xi,X2 C {1 . ..n}^. 

(f7i,7i,5i,Xi)-L(o-2,72,^2,X2) iff: 



— the composition a\a 2 contains exactly one cycle T\; ifTi is the cycle 

0-1(T2 (*)■•■ (0'l0'2)^(*) , 

for some i G {1 . . .n} and k < n, then call T 2 the following unique cycle of 
o'20'i: 

<^2(i), 0-2 ((cti 0-2 )(«))> • • • 1 0-2(((Tlf7„)'=“^(z)) , 
and T the following cycle: 

i, a2{i), {(Jia2){i) ■ ■ ■ <J2{{<Jia2)''~^{i)), (cricr2)''(*) • 
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— T is bilateral, i. e. T does not contain the configuration j . . .k . . . j . . .k, 

— for every j £ {1 . . .n}, if j £ 71 then j is in Ti, and if j £ 72 then j is 

in T2, 

— for every j, fc, m, £ {1 . . .n}, 

• if j .. .k .. .m .. .h is a portion of Ti, then either (j, m) does not hold, 
or Si{k, h) does not hold, 

• if j . . .k . . .m . . .h is a portion of T2 , then either 62 {j, m) does not hold, 
or S2{k, h) does not hold, 

— for every j, fc, m £ {1 . . . n}, 

• if j . . . k . . .m is a portion of T\ then xi (j, k,m), and 

• if j . . . k . . .m is a portion of T2 then X2O, k, ’m)- 

Remark that (cti, 7i> Xi)-L(o-2, 72, <^2, X2) iff (0-2, 72, <^2, X2)-L(o-i, 71, <5i, Xi)- 



Definition 9. — The set Dperm({l . . .n}) is 

I o- e perm({l . . .n }),7 C {1 . . . n}, 5 C {1 . . .n}^x ^ {1 . . .n}^}. 
— If X,Y C Dperm({l . . .n}) then 

iff\/x€X,y€ Y.x±y . 



Definition 10. Let {II; F) be a bordered MNL proof- structure. type((iJ; R)) 
{{ps,Ps,ls) I S switching of {II;r)}. 

Remark that if we restrict us to total permutations and we delete 7, 6 and 
X, the definition 9 is exactly the definition of orthogonality of permutations and 
between sets of permutations given by Girard in [3] . 

If II is commutative, then, for every s, Ps is a total permutation. 

The need for Sg and Xs comes from the condition that trips in MNL proof- 
nets mnst be bilateral. The need for jg comes from the condition that the unique 
cycle in MNL proof-nets, under a switching s, mnst contain all the conclusions. 
So, when II is commntative, we can disregard 7s, <5s, Xs- 

4 Orthogonal MNL modules 

Definition 11. {II; F) is a MNL proof-module iff: 

— {n ; F) is a bordered MNL proof- structure and F is not empty, 

— for every switching s for {FI; F): 

• in s{{FI;F)) there is no cycle, 

• for every critical trip T in s{{FI; F))there is no proper conclusion in T . 

Remark that the only condition added to the definitions given by Girard in 
[3] is the last point in definition 11. 
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Definition 12 . {ni;r)±{n2\r) iff: 

— {IIi',r) and {II2', r) are compatible MNL modules, 

- type((iTi;r))±type((iT2;-T)). 

Theorem 1 . If {Ui', r)J-{Il2', F) , then {IIi\ F) o {II2', F) is a proof net of MNL. 
Proof. Let s be an arbitrary switching for iJi o II2; we show that: 

1. there is a cycle T* in s(iJi o II2), 

2. T* is bilateral, 

3. T* contains all the conclusions of II i o II2, 

4. T* is the unique cycle in s(7Ti o Il2).‘ 

Observe that ssi + S2, where si is a switching for 7Ji and S2 is a switching 
for II2, and the conclusions of iJi o II2 are the elements of PCon((7Ji; T)) U 
PCon((7l2;P)). 

Let aps, and rps^, 727s2> S2SS2, XiXsi, X2Xs2- 

Proof of 1 . Since type((ili; r'))± type((il2; -T)) we get that 
(cr, ,01, 71 ) _L(t, / 32, 72)- Take the unique cycle Ti of ar: 

aT{i), (crr)^(i), . . . , {aTf{i)i 

where i £ {1 . . . n} and k < n, and consider the cycle T obtained by interpolating 
in Ti the cycle T2 in rcr: 



i,T{i),(TT{i),T{(TT{i)),{aT) (i), . . . ,T((f7r) (i)),((TT) (i)i 



T* is: 



.in(772) .out(772) .in(772) .out(772) 

i ' ' ' T{i) ■ ' ■ ar{i) ' ' ' r{<7r{i)) 

.in(772) .out(772) 

^(<TT)2(i) • • • T((<7T)'=-l(i)) • • •^(CTT)'^(i) 

Remark that out(ili) in(iJ2) and in(iJi) out(iJ2)- 

T* is a cyclic trip in s(iJi o II2) since, by definition of a and r, 

.out(772) .in(772) .out(772) .in(772) .out(772) .in(772) 

‘ ‘ ' (crr)^ ( 2 ) ’ * * ‘ (z)) * ‘ ‘ (ar)^ {i) 

are trips in si{{FIi', F)) and 

.in(772) <out(772) .in(772) <out(772) .out(772) .in(772) 

' ' ' '^r{(TT{i)) ’ (7 * ' ' (i)) 

are trips in S2HII2', F)). 

Proof of 2. First remark that T is bilateral so that also the sequence of the 
occurrence of Af (with i £ {1 . . .71} and x £ ia T* is bilateral; i.e. the 

border is arranged inside T* in a bilateral way. 
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Suppose that in T* there is a non bilateral pattern 

...cy ...B^ ...cy 



{x,yG {t4})- 

First case: B g| Ui \ and C €\ Bi \. 

In this case, B^, Cy , B^, Cy are in some F-trips of ai{{Ui; F)). If these occur- 
rences are distributed in at most three r'-trips, then we find three P-trips: 

,in(77i) .out(77i) ,in(77i) .out(77i) ^in(77i) .out(77i) 

CT(fc) 

such that the order of the occurrences of j,k,m inTi is j .. .k .. . m, and 

.in(77i) ,out(77i) ^ ^in(77i) ,out(77i) ^ 4in(77i) .out(77i) 

■ ■ ■ ^crU) ^ ^ (m) 

contains the patternU^ , but then not in contradiction 

with type( (iJi ; r) ) ± type( (772 ; B) ) . 

Let B^ be in the T'-trips from Cy be in the T'-trips from 

B^ be in the T'-trips from Cy be in the T'-trips from In Ti the 

order of the occurrences j, k,m,h is just: 

j . . .k . . .m . . .h 

but Si{j, m) and 5\(k, h) in contradiction with type((T7i; B))± type((T72; F)). 
Second case: TI £ | 7 T 2 | and C £ | TT 2 | . Analogous to the first one. 

Third case: B £| TTi | and C £| TT 2 |. 

In this case B^ and B^ are in some T'-trips of si((TTi; F)), say B^ is in the 
F -trip from 

^in(77i) 



and B^ is in the F -trip from 

/lin(77i) , 



cy and cy are in some T'-trips of S 2 ((TT 2 ; F)), say is in the T'-trip from 

<in(772) 

and cy is in the F -trip from 

j^in{n2) 

In T the order of the occurrences of j, m, k, h is: 



j . . .k . . .m . . .h . 



Consider the portion of T*: 

jin(77i) jin(772)out(77i) 

Aj ...U 
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and let r be such that is in this portion after , whereas is 

not in this portion (such an r exists by obvious considerations.) Now, consider 
the portion: 

jin(77i) jyx 40ut(77i) 4 in(77i ) out(772 ) tdx 

... ... ^ ... ... 

rm, because, otherwise there would be the pattern: 

^in(77i) ^out(7Ji) qx 

or the pattern: 

QX ^out(TJi) QX ^in(7Ji) 



with only formulas belonging to iJi, and this is excluded by the first case. 
Therefore the portion of T* from to looks as follows: 



^in(7Ji) Qx ^out(77i) ^in(772) ^out(772) 

j ^ fc ^ ) 

^in(7Ji) QX ^in(772) ^out(772) 

Restrict our attention to R-trips of S2{{Il2; F)) which occur in the here above 
portion of T*: 



^in(772) ^ 


..A°) 


it(772) 

r) 


(1) 


^in(772) 


..cy 


.out(772) 


(2) 


.in(772) 
r-^r) ■ 


^out(772) 


( 3 ) 


.in(772) 


..cy 


.out(772) 

^t{K) 


( 4 ) 



but ( 1 ) — 5-(2) — :-( 3 ) — 5-(4) is not bilateral since it contains the pattern 

^in(772) JJV ^ ^ ^ ^out(772) (JV . 



with only formulas belonging to II2, and this contradicts the second case. 
Fourth case: B g\ II2 \ and C g\ Bi \. Analogous to the third one. 

Proof of 3 . Let C be a proper conclusion of a (iJi; F). Since (ili; F) is an 
MNL module C is not in a critical trip of si((ili; F)), so that C is in a P-trip, 
say in the F -trip 

.in(77i) .out(77i) 

i ■ ■ ■ <^U) 



So j e 71. 

Since type((iTi; r'))± type((iT2; r')),j is in T so that 

,in(77i) ,out(77i) 



is in T* which contains C. 
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If C is a proper conclusion of {II2; F) the proof is analogous. 

Proof of 4. Let S' be a cycle in s((iJi; F) o (U 2 ; F)). S can not be a cycle in 
si{{Fli; F)) or a cycle in S2{{Fl2; F)) since {Fli;F) are {Fl2]F) MNL modules. 
So S must contain some formulas of the border F. If S contains AJ, where Aj 
is in F, and AJ is in T*, then cycle S is equal to T* . Otherwise, as S is a 
cycle, we can extract from S another cycle in err. But this would contradict 

type( (III ; r) ) ± type( (7T2 ; P) ) ■ 
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Abstract. We introduce a geometry of interaction model given by an al- 
gebra of clauses equipped with resolution (following [Gir95a]) into which 
proofs of Elementary Linear Logic can be interpreted. In order to extend 
geometry of interaction computation (Execution) to more programs of 
the algebra than just those coming from proofs, we define a variant of 
Execution (called Weak Execution). Its application to any program of 
clauses is shown to terminate with a bound on the number of steps 
which is elementary in the size of the program. We establish that Weak 
Execution coincides with standard Execution on programs coming from 
proofs. 

Geometry of interaction (goi) was introduced by Girard ([Gir88a]) as 
a semantics of computation which: on the one hand, contrary to denotational 
semantics interprets explicitly the dynamics of computation and handles finite 
objects; on the other hand expresses this dynamic by more mathematical means 
than syntactical rewriting. 

The EXECUTION operation is the mathematical tool inside the model used 
to interpret the cut-elimination process. This operation is not always defined 
and sufRcient conditions have been given which ensure termination of the com- 
putation : in the case of second-order Linear Logic ([Gir88a, Gir95a]) and of 
untyped lamb da- calculus [MR91]), operators coming from the syntax do sat- 
isfy such conditions (a nilpotency condition for instance in the case of LL). 
Various frameworks have been used to describe GOI models: bounded operators 
on Hilbert spaces ([Gir88a, DR95]), partial applications ([Dan90, Reg92]) and 
clauses ([Gir95a]). This latter point of view is the one we adopt here. 

Elementary Linear Logic (ELL), as Light Linear Logic (LLL), is a variant 
of Linear Logic in which the rules introducing exponentials have been modified 
(cf. [Gir95b]) in order to limit the size explosion of proofs during normalization. 
It is obtained by removing the two principles : I A \- A and I A h !!A; contraction 
and weakening are kept unchanged. We consider here a version of ELL without 
additive connectives and where introduction of the modality ! is handled through 
a (multi-)functorial promotion rule (called t-promotion, see [Ped96]), which offers 
the advantage of having simple proof-nets. A proof-net has two main parameters: 
its size (say the number of edges) and its depth (maximal nesting of the boxes 
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it contains). The number of steps of its normalization is bounded by a function 
of the size which is elementary: the expression of this function is an exponential 
tower whose height only depends on the depth (see [Ped96]). 

A drawback of ELL (as well as of LLL) is the lack of a specific semantics 
of proofs, though a semantics of provability has been given by Kanovitch et al. 
([KOS97]). We address this problem from the angle of a GOI semantics. 

Achievements and limits of the present work. We present here an 
algebra of clauses along the lines of [Gir95a] with a kind of depth-preservation 
property analogous to that of ELL (section 1). Execution is defined through 
resolution and the operators are certain sets of clauses; a comparison of these 
operators with Prolog programs can be found in [Gir95a], section 2.3. In addition 
to usual EXECUTION we define a weak execution (section 2) which amounts to 
giving up the computation of certain products of the execution (products 
yielding a deadlock when one restrains the depth). 

A size and a depth are defined for general operators respectively as the num- 
ber of clauses and the arity of the predicates of the terms (all predicates have the 
same arity). Our main result is then that weak execution always terminates 
(there is no need for nilpotency sufRcient condition for instance) and that the 
depth being fixed, the number of steps of the computation is bounded by a func- 
tion of the size of the program which is elementary (proved in section 2). Glearly 
speaking, in this setting we can bound in advance the run-time of a program 
provided we know its size and depth. Therefore the intrinsic elementary bound 
obtained in ELL by logical means has been extended to a semantical ground. 

Yet this WEAK EXECUTION presents a serious drawback as it is not in general 
an associative operation ... Still at least one inclusion is obtained instead of the 
expected equality (we call this property sub-associativity): the result of global 
EXECUTION is included in the result of any modular execution (see section 3 
for a precise statement). 

In this abstract we only sketch the main proofs; complete proofs can be found 
in [BP99]. 

Acknowledgments. Authors wish to thank Jean-Yves Girard for important 
suggestions and for pointing out the crucial lemma 2. 



1 Resolution Algebra 

We need first to introduce clauses and resolution. We then recall the definition of 
the algebra of clauses given in [Gir95a] before describing the particular algebra 
we consider in this work : the layered algebra of clauses. 

A term language T is built over variables and a set of symbols of functions; 
its elements will be denoted t, u. Let be a set of predicate symbols given 

together with their arity; the language of atoms C built over T and this set of 
predicates is the set of Pi(ti, . . . ,tn), where n is the arity of Pi and the tj’s 
belong to T. 

We say that two terms (or atoms) e and e' are comparable when there is a 
substitution 9 defined over the variables in e and e' such that eO = e'6. 



Elementary Complexity and Geometry of Interaction 



27 



If e, e' are comparable then there exists a most general unifier (m.g.u.) i.e. a 
substitution 9q such that for every unifier 9 there is a 9' such that 9 = 9q9' . If e 
and e' are not comparable, we say that they are orthogonal: e _L eh 
A clause (p in the language £ is a sequent 

Vxo, {Pi{to ) h Pj{uo, . ..,Un)) , 

where Pfito, . . . , tm) and Pj{uo, . . . , Un) are atoms of L with the same variables 
xo, ■ ■ ■ , Xd- We will omit to write the quantification. 

The head of the clause (p is the atom head((/)) = Pfito, . . . , tm), its tail is the 
atom tail((;f)) = Pj{uo, . . . , 

We introduce also a formal clause 0. Let C denote the set of clauses over C. 
A substitution 9 acts on a clause (p hy : (p9 = h.ea.d{cp)9 h tail((/))0. 

Definition 1 (Resolution). Given two clauses (p and <p' we can assume they 
have disjoint variables (by choosing appropriate instantiations). // tail(</)) is 
comparable with head((/)') and 9 is their m.g.u. we define the resolution of the 
two clauses as the clause 



p ■ (p' = head((/))0 h ta.±l{p')9 

Otherwise, f/tail((/)) and hea.d{p') are not comparable: p ■ p' = 0 . 

We fix by convention that the resolution of the clause zero with any other 
clause is zero; this implies that resolution is associative. 

A clause p is said to be a projection (resp. a null-square) if p'^ = p (resp. 
p'^ = 0), which is equivalent to h.ea.d{p) = tail((/)) (resp. h.ea.d{p) A tail(c;f))). 

Definition 2 (Resolution Algebra). Let A*(T) be the set of all finite formal 
linear combinations ^ otipi where the scalars a.i belong to C and the clauses pi 
to C. The set A*(T) is equipped with 

— a structure of complex vector space, 

— a structure of complex algebra, the multiplication being extended by bilinearity 

from resolution: otiPjiPi ' P'j), 

— a unit w.r.t. multiplication : Pi{xo, ■ ■ - ,Xn) b Pfixo, . . .,Xn), 

— an anti-involution defined by otipi)* = '^(Tipi* where p* := tail(c;f)) h 
hea.d{p). 

A norm can be introduced in order to get a C*-algebra, see [Gir95a]. 
Another way to write a combination of clauses is as ^ a{p)p, where the sum 
is taken over C and a is an application from the set of clauses C to C such that 
a“^(C\{0}) is finite. We will use this notation when it is more convenient. 

If U = 'Y)j otipi and V = 'YjPiPi are two elements with coefficients in N, we 
write U CV if for all i, ai < Pi. 

Definition 3 (Execution Formula). A wiring is a finite sum of clauses ^ pi 
such that for i j : hea.d{pi) A head(c;f)j) and ta.±l{pi) A ta.±l{pj). 

A loop is a pair of wirings (U, a) such that a is hermitian (i.e. a* = c). 
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A loop converges when all is nilpotent, i.e. when = 0 for some n. The 

execution of the loop {U, a) is then the element 

n 

Ex^{U) := U{1 - aU)-^ = U^{aU)'^ 

k—0 

and the result of the execution is given by 

Result^(J7) := (1 — cr^)Ex^(J7)(l — cr^). 

Remark 1. Another way to write the execution is directly as a sum of clauses: 

Ex„{U) = ^ (pk 

<Poeu 

4>iG(rU,l‘<i<k 

k<n 

Now we specify the particular language we are going to consider. The terms 
of T are built over a set of unary symbols of function {p, q, r, s}; therefore such 
terms have exactly one free variable, and t[x\ will denote a term with free variable 
X. The length |t| of t is the number of symbols of function appearing in it. 

Remark 2. Notice that as T is defined over unary symbols of function, if two 
terms t and u are unifiable then their m.g.u. 6 leaves at least one of the two 
terms unchanged (up to renaming of its variable). For any pair of terms {t, u), 
only one of the following cases can occur: t F u or t < u or t > u, where t < u 
means that u is the unchanged term. 

We will consider a family of symbols of predicate of same arity^ 

{d+ 1). Let • m denote the set of atoms defined this way. 

The set is the set of clauses: 

(j) = Vxo, ■■■,Xd. {Pi{to[xo\, . . .,td[xd]) b Pj{uo[xo], . ■ .,Ud[Xd])) , 

where head(</)) and tail((/)) belong to T'^ ■ m. Notice that tk and Uk {0 < k < d) 
are required to have the same free variable. 

We call layered algebra the algebra of clauses defined over and we denote 
it by A*(T'^ • m). From now on this is the algebra we consider. 

2 Weak Execution 

A word of clauses w is a finite sequence of clauses w = {(fi, . . ., (fn) with 4H G C^, 
and the product clause is </)i -(/)2 • • •■((n- A sub-product of the word w is the product 
clause of a word {4>i , . . . , 4>j) for some i < j < n. 

Given a clause 4> = P{to,...,td) b P'{uq, . . . ,Ud) its width is defined as 
||(/)|| := sup{|tfc|, |Mfc| / 0 < k < d}. The width of a word w is simply given by 
||w|| := supi<j<„(| I). The cardinality of w is: N{w) := ff{4n | 1 < * < n}. 

^ The choice of d + 1 is done to keep the same notations when we interpret proof- 
structures, see section 4. 
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Example : Consider in C° the clause cj) = P{x) h P{rx) and let Wn be the word 
{(p,. . .,(j)) of length n. In that case we have ||w„|| = ||(/)|| = 1, N{wn) = 1 and 
the product of Wn is the clause P{x) h P{r'^x). 

Definition 4 (Acyclicity). A clause (p = -P(to; • • • , h P'{uq, . . . , Ud) is an 
acyclic clause if P ^ P' , or (P = P' and there exists k < d such that for every 
i < k we have Ui = U and Uk -L tk)- 

An acyclic word (resp. strictly acyclic word) is a word {(pi, . . . , (pn) such that 
every sub-product tp is either an acyclic clause or a projection (resp. an acyclic 
clause). 

Example : Consider in the clauses (pi = P{sxq,xi) h P{rxo,xi), (p2 = 
P{rxQ,rrxi) h P{rxo, sxi) and <p3 = P(xo,sxi) h P{rxo,rsxi). Each of them 
is an acyclic clause. The word w = {(pi, (p2, (ps) bas a non- null product but is 
not acyclic since its subproduct (p2 ■ <p3 = P{rxo, rrxi) h P{rrxo, rsxi) is not an 
acyclic clause (though it is a null-square). 

We now introduce a restricted form of execution over strictly acyclic words of 
clauses. Contrarily to usual execution we define it not only for converging loops 
but for any pair of combination {U, a); theorem 1 will establish the fact that this 
definition always makes sense (the sum is finite). 

Definitions (Weak Execntion). Given a pair of combinations {U, a) denote 
U = 'Y)oi{(p)(p and all = 'Y)l{4‘)4>- Us weak execution is defined as: 

n 

l{(pi)) <p0 ■ (pi ■ ■ ■ ■ (pu 
i=l 



where A := 



{(pQ, (pi. . ., (pn) 



a{(po) 7 ^ 0,j{(pi) 7 ^ 0 when i and 
the word {(po, . . ., (pn) is strictly acyclic 



As a particular case, given a loop {U, a) its weak execution is 



Ext(C/)= ^ (po ■ (pi- ■ ■ ■ (pn 



where A! := {(po, (pi.. ., (pn) 



(po € U,(pi € all when i ^ 0, and 
the word {(po, . . . ,(pn) is strictly acyclic 



The result of the weak execution is in that case defined as 
Resultj^(C7) := (1 — (T^)Exj^(C/)(l — cr^). 



Remark 3. Note that in cases where Eyi„{U) makes sense ({U,a) is a loop and 
all is nilpotent) , we have that Ex^ (C/) C Ex,j{U). 



30 



Patrick Baillot and Marco Pedicini 



Our first goal is to show that we can bound the width of the product clause 
of an acyclic word (proposition 1). In the case of a strictly acyclic word this 
implies that the length of the word cannot exceed a certain bound (depending 
on the number and the width of the clauses) without yielding zero as result. This 
bound will be expressed as an exponential tower of height d (proposition 2). 

Proposition 1. Given an acyclic word w = (c()i, . . .(j)n) with non-null product, 

we have the following inequality^ : \\(j)i (/)„|| < L{\\w\\, N{w), d), where L is 

defined by 

24afc(tZ+l)^ 

2‘ 

L{a, b, d) := 2 

and the height of the exponential tower is d (for d=0 we get the exponent Sab). 

This proposition will be proved further. The result relies of course on the fact 
that w is strictly acyclic. Otherwise given a fixed width (of word) and cardinality 
one might exhibit non acyclic words whose products are of arbitrary big width: 
see for instance the first example given where for any n, ||w„|| = 1, N{wn) = 1 
and the product of Wn is P{x) h P{r'^x) whose width is n. 

Definition 6. Given three integers I, N > 1 and s we define 

29-JAf(s+l)^ 

2' 

B{l,N, s) := 2 

where the height of the exponential tower is s + 1 . 

Proposition 2. Given a strictly acyclic word w with non-null product and such 
that ||w|| > 1, its length is bounded by B{\\w\\, N{w),d). 

We give now the main result: weak execution always terminates and can be 
computed in an elementary number of resolution steps. We state it first for a 
loop and then give the result for an arbitrary pair of combinations: 

Theorem 1. Let (U,a) be a loop and let us fix the variables N = ffaU and 
fc = 1 + max{||(()|| / (() G (t17}. We have 

Exj,(17) = ^ ((o ■ (j)i ■ ■ ■ ■ ((n 

n<B{k,N,d) 

where A' is the set given in definition 5. 

More generally, {U, a) being simply a pair of combinations let us denote 
U = all = define then as before N = #{<(>, 7(<(>) ^ 0} 

and fc = 1 + max{||(/)|| / ^{(j)) 0}. We have: 

^ Note that ||<^i 0„|| should not be confused with | |(<^i, . . . , </>„)| |, the former 

being the width of a clause and the latter the width of the word. 
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Exi(?7) = ^ a{(l)o)(Y[j{(l)i)) (l)Q ■ (l)i- ■ ■ ■ (l)n 

{4>o,---,4'n)£A i=l 

n<B{k,N,d) 

where A is the set given in definition 5. 

Proof (Proof of theorem 1 ). Let w = {fio , . . . , fin) be a word in the set A with 
n > 1. Let us denote by w' the word {fii^ . . fin) on all. We have N{w') < N 
and llw'll < k. Now, if n > B{k, N, d) then n > i?(||w'||, d) and we know 

by proposition 2 that w' (and consequently w) has a null product. 

Therefore the sum in Ex^ (17) can be restricted to the words of A such that 
n < Bik, N, d). □ 

Let us introduce a few more notations on clauses and words of clauses. To 
each predicate symbol Pi of our set we associate d predicate symbols, one for 
each arity k + 1 in {1, . . . , d}; we will denote them all by Pi as anyway in atoms 
the arity of the predicate will be made explicit by the number of terms. For 
0<fc<d— Iwe denote by • m the language built from T and the family of 
predicates of arity fc + 1 and is defined as before from • m. 

Given a clause fi = P{to, . . .,td) b P'{uq, . . . , Ud) of and 0 < fc < d — 1, 

its fc-th layer is the clause of [fi]k '■= Pitfi) b P'(uk) and its fc-th truncation 
is the clause [fi](o,k) ■= P{to, • . .,tfc) b P'{uq, ...,Uk) of C^. 

The fc-th layer of a word w = {fii , . . . , fin) is [w]fc = ([<()i]fc, . . . , [fin]k)', simi- 
larly its fc-th truncation is [w](o,k) = ([</<i](o,fc)> • • • > [fin]{o,k))- 

We define width of atoms by: \P{to, . . -,tk)\ = sup{|ti|/0 < « < fc}. 

Proof (Proposition 1). We prove the proposition by means of an intermediate 
inequality, namely we will prove by induction on d the following one: 

Wfii finW < L'{\\w\\,N{w),d) (1) 

where L'{a, b, s) is defined inductively by: 

( L'{a,b,0) = 2ab 

\L'(a,6,s-f 1) = 2a624('’+i)i'G.h,s) ) 

Then the announced result will be obtained as a consequence. Next lemmas give 
the result for d = 0. Until it is differently specified we consider clauses in C°. 

Lemma 1. Given two clauses fi and fi, 

1. j/tail(</)) > head(^) then |head((()^)| = |head((())|, 

2. j/tail((/)) < head(^) then |head(<()^)| < |head(^)| -f- |head((())|. 

Remark f. Given a word w = {fii , . . . , fin) with non-null product, let us denote 

[ji, . . . ,jm} = {j > 2 I tail(<()i < head((()j)}. By induction over the 

integer m we deduce from the previous lemma the following inequality: 

|head((()i fin)\ < |head((()i)| -f |bead((()jj|; analogously for the 

ta.±l{fii fin). 
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Lemma 2. An acyclic word w = , (/>„) with non null product denoted by 

tjj ■= (j)! (t>n, satisfies 

Ill’ll < l|w||(Af(w) + l). 

Proof. In order to get contradiction assnme ||^/’|| > ||w;||(A^(w) + 1). In that case 
either |head(^)| > ||w||(A^(w) + I) or |tail(^/>)| > ||w;||(A^(w) + I). Snppose 
for instance that we are in the first situation (the second case is handled in a 
completely symmetric way). By remark 4, using the same notations we have that 

|head(^i (j)n)\ < (m + l)||w||; then we have m > N{w) + 1, so there exist 

ii < such that 4> := 4>j.^ = 4>j.^ . 

We claim that the sub-product _i gives a cyclic clause, hence the 

contradiction with the acyclicity of w. Indeed: let us denote II' := 4>i 

and n" := then we have tail(7J' • cj) ■ II") < head(<()). So 

as tail((^ • n") < tail(7J' • (f> ■ II"), we get tail((^ ■ II") < head((()). Moreover, 
from head((()) < head((() • II"), we deduce tail((() • II") < h.ea,d{(p ■ II") and we 
are done. □ 

This lemma ends the base case of induction (d = 0) since 

||w;||(A^(w) + 1) < 2 ||m;||A^(w) = L'(||w||, A^(w), 0), as N{w) > 1. 

In order to get the step of induction, we need a few intermediary results about 
products of clauses. 

Lemma 3. Let us consider a word w = {<j)i , . . . , <f>n) with non null product; the 
produet of w induces a unique substitution family {ai,...,a^) such that is 
defined on the variable of (f>i and 

(fi </>n = head((()i)(T? h tail((?!)„)(T° , 

and tail((()j)(7° = head((/),+i)(T°_|_j^ when 1 < i < n — 1. 

Moreover, every substitution family (cti, . . . , (Tn) such that ai is defined on the 
variable of (j)i and satisfying: 

ta.±l{(pi)ai = head((;ij_|_i)(Tj_|_i when 1 < i < n — 1 (3) 

can be obtained from ((t°, . . . , (t°) by means of a substitution 9 such that 
(cti, . . .,(T„) = {a'(8,...,a°8). 

These properties are proved by induction over the length n of the word. 

Remark 5. Note that for 2 < i < n — 1 we have tail((^if7°) = head(<()i_|_i(T°_|_]^) 

and that this term is equal either to tail((()i <f>i) if tail((/)i (fi) > 

head((;ij_l_i <l>n), or to head((;ij_|_i (j)n) otherwise. 

Lemma 4. Let us consider a word w = {4>i, . . . , 4>n) with non null product; the 
produet of w induees a word w' = . . ., such that (/)' = piO-'f (1 < i < nj 

with (T? as in lemma 3. Then for every i and h, we have that the subproduct 

(pi pi+h is a projection if and only if the corresponding sub-product of w' , 

p'i Pi+h is a projection. 

If pi pi-i-h is a null-square then p'^ Pi+h ® null-square. 
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We establish now the induction step of inequality (1). Assume the inequality 
is true for any acyclic word in with k < d, and take a word w = {(pi , . . . , (pn) 
over Consider for every layer [w]fc the induced family of substitutions: 

(erf , . . . , (T^). Let w' be the word obtained by applying in w the substitution 
family to every layer k < d and by freezing variables by means of newly intro- 
duced symbols of constants ak- i-e. [p{]k = ['/'JfcO'f (ofc/^fc) for 0 < k < d and 
[<P'i]d+l = [<Pi]d+l- 

Notice that in w' variables remain only in the last layer d -I- 1, so we can 
consider w' built over clauses of with the first d layers constituting the 
predicate (we enlarge our set of predicates). 

Let us show that w' is an acyclic word: we take a sub-word (</)', . . 

and its product (p' := 4‘'i+h'( denote the corresponding sub-product in 

w hy p '.= (pi pi+h- By lemma 4, if the layer [p]k is a projection then {p']k is 

a projection too and if [p]k is a null-square then {p']k is a null-square. Combined 
with the fact that p is an acyclic clause (dehnition 4), this implies that p' is an 
acyclic clause. 

So w' is an acyclic word in C° and by establishing N{w') and 1 1 w'| | we obtain 
the following inequality: 

Ml <(.;i|<L'(||n;'||,iV(n;'),0). (4) 

As the width of a word doesn’t depend upon predicates appearing in its clauses 
and terms in w' are equal to terms in the last layer of w, we have ||w^|| < ||w||. 
By definition N{w') is the number of distinct clauses in w'; in order to hnd it 
we can calculate the number of ah possible instances of terms in w' . 

Remark 5 tells us that tail([(()']fc) is equal to tail([(()i pi]k{ak/xk) or 

head([(()j+i pn]k{ak/xk) (similarly for head( [(()'] fc)). Moreover we have 

\M HkW < \\[Pi </’i](o.fc)ll- 

Since by induction hypothesis: \ \[pi Pi](o,k)\ \ ^ -^'(IIN(o,fc)ll> -^(M(o,fc))> 

we can apply the inequalities Al([w](o,fc)) < N{w) and ||[w](o,fc)|| < ||w||, and we 
get 



\M <(’i](o,fc)ll < i'(l|w||, A^(w),fc). 

Similarly \\[pi+i Pn]{o,k)\ \ ^ ^'(lkll> -^(^)> ^)- 

Finally, we obtain: ||[<(>(]fc|| < L' {\\w\\ , N {w) , k) , and the number of ah pos- 
sible unary terms built in our language^ of length at most L'(||w||, N(w), k) is 
bounded by 4L\\\w\\,N{w),k)+i _ 

We are now able to bound the number of clauses N{w') in w': the number of 
possibilities for the choice of the head and tail predicates is bounded by N{w)', 

® as the number of symbols of function in our language is 4, the number of terms of 

i 

length fc is d*’, and the number of terms of length at most I is < 4^'*'^. 
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at the level k the number of possibilities for the head and tail terms is bounded 
by (l|i"ll.-^(’^).fc)+i). Therefore we have: 

d d 

N{w') < N{w) 42 (i'(ll^ll,AfW,fc)+i) = iv(w) 

k^O k^O 

By substitution of quantities N{w') and in (4) we have 
Ml ^'r.\\<L'{\\w%N{w'),0) = 2\\w'\\N{w') 

d 

k—0 

< = L'(||w||, Af(w),d+ 1) (5) 

We used the following inequality L'{a, b,k) + 2 < L'{a, b, d) ioi k < d — 1. 

We therefore get (/)„]d+i|| < L' {\\w\\, N{w), d + 1), and by in- 
duction hypothesis we have: <Pn]{o,d)\\ < L' {\\w\\ , N {w) , d) . Since 

L'{\\w\\,N{w),d) < L'{\\w\\,N{w),d+ 1), we get: 

ll'/'i Ml < L'{\\w\\,N{w),d+ 1). 

This ends our proof for the induction step and the inequality (1) is established. 

Using inequalities a < 2“ and x + y < xy whenever x > 2 and y > 2 one 
easily checks that: L'{a^ b, d) < L{a, b, d). This way we infer from inequality (1) 
proposition 1. □ 

The proof of proposition 2 uses proposition 1 and is in the same spirit (see 
[BP99]). 

3 Sub-Associativity of Weak Execution 

Let h T, Z\, Z\' be a sequent such that in A and A' formulas can be assembled du- 
ally in pairs {B, B^). We consider the algebra X*{A, A', B) built, as in section 1, 
using the language T and the family of predicates of arity (d-|- 1), {PA}AeA,A>,r- 
Let: 

(XA,A',r = y] Pb(*o, • • • , k Ps± (*0, • • • , *d) 

BeA 

We denote aA-A>,r by a and aA'-A,r by t, so that cr -|- t = aA,A'-,r- 

Proposition 3 (Sub-associativity of weak execution). Let U be a wiring 
of X*{A,A',r) and a and t defined as above; we have: 

Result^_l_^(C/) C Result]i(Result^(C/)). 

Remark 6. The equality is false in general, which contrasts with usual execution 
and the expected modularity of a valuable computation process. Still, as far as 
we are dealing with loops coming from proofs, associativity is valid since we will 
prove in the sequel that weak execution and ordinary execution coincide on such 
loops. 
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4 Interpretation of ELL Proof-Strnctnres 

We consider elementary linear logic with t-promotion and without additives 
and quantifiers. The sequent calculus is given in [Ped96]; the rules are as in 
multiplicative exponential linear logic but for dereliction which is not included 
and for promotion which is replaced by t-promotion: from \~ A, A infer \-\A, 1 A. 
We now give the corresponding definition of ELL proof-structures. As usual there 
is a translation of proofs into proof-structures, yielding ELL proof-nets. 

4.1 ELL Proof-Structures 

Definition 7. The ELL proof-structures are graphs with boxes whose edges are 
labelled by (multiplicative exponential) LL formulas; they are defined inductively 
together with their depth by: 

— A proof- structure of depth 0 is a labeled graph R built over the nodes: 

• Axiom and cut: an ax (axiom) node has no premise and two conclusions 
labeled by dual formulas A and A-^ ; a cut node has two premises labeled 
by dual formulas ( cut formulas ) and no conclusion; we consider axioms 
labeled by atomic formulas to simplify the definition of the interpretation. 

• Multiplicative nodes: a ® node (resp. a ^ node) has two premises labeled 
by A and B and one conclusion A® B (resp. A^B ). 

— if Ri, ... , Rn are proof- structures of maximal depth d then a graph R built 
from Ri, . . . Rn using the preceding nodes and the following exponential nodes 
is a proof- structure of depth d: a ?c (contraction) node has two premises 
labeled by lA and one conclusion labeled by lA; a ?w (weakening) node has 
no premise and one conclusion labeled by a formula 7 A; 

— if R is a proof- structure of depth d, the box containing R and with conclusions 
as on the figure is a proof- structure of depth d -|- 1 . 




The depth of an edge is the number of boxes it is contained in. 

We consider in proof-structures oriented paths crossing multiplicative and 
exponential nodes either from a premise to the conclusion or from the conclusion 
to a premise, and axiom nodes (resp. cut nodes) from a conclusion (resp. premise) 
to the other conclusion (resp. premise). A path is up (resp. down) if it only crosses 
nodes from conclusion to premise (resp. premise to conclusion). 

The length of a path is the number of edges it goes through. If 71 is a path 
ending upwards (resp. downwards) with an edge conclusion (resp. premise) of a 
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node N and 72 starts upwards (resp. downwards) with an edge premise (resp. 
conclusion) of N, we denote by 71; 72 their concatenation. 

An elementary path of i? is a path going upwards from a conclusion or a cut 
node to an axiom and then downwards to a conclusion or a cut node; we denote 
their set by Ve{R)- A constant- depth path of i? is a path of R which doesn’t cross 
any box node, axiom node or cut node and starting upwards with a premise of 
box node or downwards with a conclusion of box node. The depth of such a path 
is the number of boxes of R it is contained in. 

A proof-structure R gives a multiset F of conclusion formulas and a multiset 
A of cut formulas (associated dually in couples by cut nodes). The 

language we consider is T"^ • m where d is the depth of the proof-structure R and 
m is the cardinality of T, Z\. Predicates are indexed by formulas in T, A. The 
wiring part Un of the loop interpreting R will be obtained by interpreting each 
elementary path of i? by a clause. 



4.2 Interpretation of a Proof-Structure 

Representation of a constant-depth path by a term. As they don’t cross 
axiom or cut nodes, constant-depth paths are up or down. We only consider 
constant-depth paths which don’t visit any weakening node; this is enough to 
give the interpretation of proof-structures. 

We associate to such a path 7 of depth i a term tj [xj \ ; we define this interpre- 
tation below in the case of a path oriented up by induction on the length of the 
path. In the case of a down path the interpretation t-^ is that of the reverted up 
path (orientation will be taken into account when we introduce the clauses...). 

— if 7 is reduced to an edge premise of a box node, then t-^ = Xi, 

— otherwise we can write 7 = 71 ; 72 where 72 is reduced to an edge premise of 
a multiplicative or a contraction node: 

• if 72 is the left (resp. right) premise of a multiplicative node then 

tj = tj^[pxi/xi] (resp. tj = tjj^[qxi/xi]). 

• if 72 is the left (resp. right) premise of a contraction node then 

tj = [rxj/xi] (resp. tj = t^^^[sxi/ Xj\). 

Representation of an elementary path by a clause. If 7 is an elementary 
path of the proof-structure R of depth d, it can be decomposed as: 

7 = 7ii li+F • • • ; 7t; 7ji 7j-i; ■ • ■ ; 7fc 

where 0 < i, j < d and the path 7/ (resp. 7O for i < I < j (resp. fc < Z < j) is a 
constant-depth up path (resp. down path) of depth 1. 

Let A (resp. A') be the beginning (resp. ending) conclusion or cut formula. 
Their respective depths (i.e. the depths of their edges) are i and k. The clause 
W (7) interpreting the path 7 (the weight of the path) is given by: 

Pa[xq, ..,x i — lt 5 **5 “■> Xd) b Pa'{xo, ■■,Xk-l, 
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The ELL proof-structure R is interpreted by the loop (Ur, an) with: 

ur= Y. 

(7r= Y Pb(xo, ...,Xd)'r Pr± (xo, . . . , Xd). 

BgA 



5 Weak Execution of Proof-Nets 

In this section we prove that for every proof net R the associated loop (U, a) 
satisfies: Resulto-(C/) C Result^ (C/). The eqnality Resulto-(C/) = Result^ (C/) 
follows then by remark 3. 

First we will prove a proposition (4) and then we will derive this resnlt as a 
corollary (1). Let ns give before a few definitions. 

A balanced path of i? is a path starting upwards in a conclusion of R or 
downwards in a cut premise, ending downwards in a conclusion of i? or in a cut 
premise. An elementary balanced path 7 of i? is a balanced path crossing at most 
one cnt node, so that : 

— if 7 crosses no cnt node it is an elementary path and its weight is given in 
the previous section; 

— if it crosses a cut node from the premise B to the premise then it 
can be decomposed in the path just crossing the cnt with weight cto = 
Pb(xo, . . . , Xd) b Pr±{xq, . . . , Xd) and in an elementary path 70 with weight 
VL(7o), so its weight is 1^(7) = (Tq ■W('^q). 

Any balanced path 7 can be written as a concatenation of elementary bal- 
anced paths: 7 = 7 o; . . . ; 7 n and its weight is given by the product 

W(i) = IT(7o) W(-in). 



Definition 8 . We say a clause (j) = P(to, . . .,td) b P'(uq, . . . , Ud) is cyclic at 
depth k < d if: (1) P = P' , (2) for all i < k, U = Ui, (3) tk 7 ^ Uk and tk and 
Uk are comparable. 

We say the clause is cyclic at depth -|-cx) if it is a projection. 

We need three intermediary lemmas: 

Lemma 5. Let R be a proof-net and j be a balanced path of R such that W("/) 
is non-null and cyclic at depth k. Then 7 crosses at least one cut in R at depth 
lower than k. 

A special cut w.r.t. a path 7 is an exponential cut a such that 7 crosses a 
but doesn’t cross any cut below the auxiliary ports of the box associated to 
the !-premise of a (special cuts have been introduced by Regnier and Danes in 
[Reg92], [Daii90]). We nse a variant of the “special cut lemma” stated in [Reg92]: 
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Lemma 6. Let j be a path of a proof-net R. If j crosses only exponential cuts 
at depth lower than k and at least one, then R has a special exponential cut w.r.t. 
7 at depth lower than k. 

Lemma 7. Let R be a proof-net and j be a balanced path of R such that W (7) 
is cyclic at depth k. Assume a is a cut of R at depth lower than k and crossed 
by 7 which is either a multiplicative or axiom cut or a special exponential cut 
w.r.t. 7. Let R' be the proof-net obtained from R by reducing a . Then R' has a 
balanced path 7' such that is non-null and cyclic at depth k. 

Proposition 4. Given a proof net R and 7 a balanced path of non-null weight, 
the clause W (7) associated to 7 is acyclic. 

Proof. In order to get contradiction assume the proof-net R has a balanced path 
if of non-null weight cyclic at depth k. By lemma 5 this implies that ip crosses at 
least one cut in R at depth lower than k. The idea is then to reduce progressively 
all the cuts at depth lower than k crossed by p in such a way that at each step 
we keep in the corresponding proof-net a path satisfying the hypothesis. Now in 
order to do so we need to consider a particular strategy of reduction: 

— if there is a multiplicative cut at depth lower than k crossed by the path, 
then we reduce it, 

— otherwise, if all cuts crossed by the path at depth lower than k are exponen- 
tial then we choose a special cut w.r.t. the path and reduce it. 

We build a sequence (i?,. Si) of pairs of a proof- net and a path in it satisfying 
the property : W{Si) is non-null and cyclic at depth lower than k. Put Rq = R 
and Sq = ip. Now assume the sequence has been defined up to rank i > 0. By 
lemma 5, Si crosses at least one cut in Ri at depth lower than k. If it crosses a 
multiplicative or axiom cut a at depth lower than k take for the proof-net 
obtained from R by reducing a ; then by lemma 7 we know that has a path 
satisfying the hypothesis which we take as Jj+i . Otherwise lemma 6 ensures that 
Si has a special exponential cut a at depth lower than k and this is the cut we 
choose. 

This way we build an infinite sequence {Ri, Si) of pairs of a proof- net and a 
path in it with these properties. This sequence contradicts the strong normal- 
ization property of ELL. □ 

From this proposition, we derive the two following corollaries: 

Corollary 1. Let {U,a) be the loop associated to a proof-net R; we have: 

Result^(I7) = Resultcr(C/). 



Corollary 2. Let {U, a -\- t) be the loop associated to a proof-net R, then: 
Resultj,.(Result]i(t/)) = Result^_|_^(t/) = Resulto-+T(C^)- 
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Conclusion and Perspectives: Broadly speaking, our aim is to define a set- 
ting as large - and as simple - as possible for elementarily bounded computations. 
Weak Execution satisfies the complexity requirement with respect to programs 
of clauses of our algebra but (partially) fails to fulfill the modularity require- 
ment. We are looking for a sufficient condition on programs which would ensure 
this modularity /associativity property for a larger class of programs than those 
coming from proof- nets. One direction under exploration (suggested in [Gir95b] ) 
is that of an untyped calculus whose computations would be performed in the 
algebra through Weak Execution. 
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Abstract. In the coherence space semantics of linear logic, the webs 
of the spaces interpreting the exponentials may be defined using multi- 
cliques (multisets whose supports are cliques) instead of cliques. Inspired 
by the quantitative semantics of Jean-Yves Girard, we give a character- 
ization of the morphisms of the co-Kleisly category of the corresponding 
comonad (this category is cartesian closed and, therefore, is a model of 
intuitionistic logic). It turns out that these morphisms are the convex 
and multiplicative functions mapping multicliques to multicliques. This 
characterization is achieved via a normal form theorem, which associates 
a trace to each such map. 



Introduction 

The notion of stable fnnction has been introdnced by Berry for the purpose of 
modeling functional programming languages like PCF [1]. In the framework of 
dilators (functors acting on ordinals), Girard discovered independently stability 
as a condition allowing for a finitary representation of these functors. He applied 
the same idea to the denotational semantics of system F (see [3]) and this led him 
to the crucial observation that this semantics (which is an extension of Berry’s 
semantics of PCF) can be described in the framework of qualitative domains, and 
even in the one of coherence spaces, which are particular qualitative domains. 
Berry actually developed his semantics in the framework of dl-domains (Scott 
domains satisfying some further properties). Coherence spaces are very particular 
dl-domains which define a sub-cartesian-closed category of the category of dl- 
domains and stable functions. 

A coherence space is a symmetric and reflexive unlabelled graph (its web is 
the set of vertices; two vertices which are related are said to be coherent). The 
cliques of this graph are the elements of the corresponding dl-domain (singletons 
correspond to prime elements, finite cliques to compact elements). 

This work was partially supported by HCM Project CHRX-CT93-0046 “Typed 
Lambda-Calculus” . 
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The space of stable functions from a coherence space X to a coherence space 
V can in turn be described as a coherence space Z through traces: if / is a stable 
function from X to V, the trace of / is the set of all couples (xq, b) where 6 is a 
vertex of Y and xq is a finite clique of X minimal such that b £ f{xo). This leads 
to the idea that the function space operation (which corresponds to implication 
through the Curry-Howard isomorphism) is not atomic. It can be decomposed 
in two operations: (set) exponential and linear functions space. 

The exponential ! X of a coherence space X has as web the set of all finite 
cliques of X, and the linear function space X' ^ Y of two coherence spaces X' 
and Y has as web the cartesian product of the webs of X' and Y. There is a 
natural isomorphism between the space of stable functions from the cliques of 
X to those of Y and the cliques of I X ^ Y. 

These two operations have logical counterparts which are made explicit as 
logical connectives in linear logic ([4,8,6] describe the coherence space semantics 
of linear logic). 

Van de Wiele observed that alternative definitions of the exponential op- 
eration on coherence spaces are available. More specifically, from a categorical 
viewpoint, the exponential is an endofunctor on the category of coherence spaces 
and linear maps, and this functor has an additional structure of comonad satis- 
fying some further requirements (the image of a coherence space by this functor 
has a canonical structure of commutative comonoid, see [2]). These properties 
do not characterize the exponential in a unique way. Van de Wiele proposed in 
particular a version of this operation where the web of j^X, the multiset expo- 
nential of X, is the set of all finite multisets of the web of X whose support is a 
clique. From a categorical viewpoint, this exponential is extremely natural: the 
image of a coherence space by this functor is the free commutative comonoid on 
this coherence space. 

This multiset exponential gives rise to a semantics of linear logic where the 
cliques of ° Y may also be viewed as functions acting on the cliques of 

X. But these multiset morphisms are not characterized by their applicative 
behavior on cliques, in sharp contrast with the set semantics. Hence, a very 
natural question arises: can we, in an uniform way, associate to each coherence 
space X some space X in such a way that each clique of j^X Y may be seen 
as a function preserving some structure from X to Y, and conversely! 

This paper provides a positive and natural answer to this question, inspired 
by a work of Girard who, before introducing qualitative domains, and already 
guided by his dilators intuitions, considered in [5] a quantitative semantics of 
A-calculus where the interpretation of a term takes into account the number 
of times a value is used in a computation. Actually, in that semantics, these 
“numbers” are sets, and morphisms are functors acting on families of sets, pre- 
serving directed limits, pullbacks and kernels. The nice feature of this semantics 
is that, like dilators and stable functions, these morphisms admit a “normal form 
theorem” (relying on a “formal series” representation). 

Simplifying this approach, we replace each of the arbitrary sets of quantita- 
tive semantics by a natural number (the simplification is thus twofold: first we 
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restrict to finite sets, and second, we restrict to their cardinality). This leads to 
associating to a coherence space X the set X (that we shall denote by M.{X)) 
of all the multicliques of X. We establish an isomorphism between the cliques of 
-<i Y and the functions from Ad(X) to MiY) which preserve finite products 
of compatible multicliques, and satisfy a convexity criterion (these properties, 
together, imply Scott continuity). If convexity has hardly a domain-theoretic 
counterpart, the product preservation property clearly corresponds to the stan- 
dard meets preservation property of stable functions. In particular, for multiset 
supports, the two preservation properties trivially coincide (the meet of the sup- 
ports is the support of the product). 

1 Preliminaries on multisets 

We denote by IN'*' the set of non zero natural numbers. 

Let S' be a set. A multiset /r of S is a function mapping each element a 
of S to a natural number, the multiplicity of a in /r. We denote by \fi\ the 
set {a / /r(a) 7^ 0 }, which we call support of /r. We denote a multiset by an 
enumeration (delimited by square brackets) of the elements of its support, each 
as many times as its multiplicity in the multiset. We denote by 0 the multiset 
whose support is the empty set. A multiset whose support is a finite set is called 
a finite multiset. Let a G S, we also denote by a the multiset whose support is 
{a} and in which the multiplicity of a is I. 

Observe that, since multisets are functions to natural numbers, the sum, 
product and exponentiation of multisets are well-defined (in a pointwise manner), 
and similarly, the standard order on natural numbers induces a (partial) order 
on multisets that we shall denote by 

Let /r be a multiset of S. Observe that, \i p? = pL then, for every a in S, p{a) 
is 0 or I. We shall represent sets using these multisets. They enjoy the following 
immediate property. 

Lemma 1. Let S be a set. Let p, be a multiset of S such that = p. For any 
multisets pi and p2 of S such that \pi\, \p2\ ^ P, 

if P1P2 = 0 then {p + pi){p + P2) = P + Pi + P2 ■ 

2 Coherence semantics 

We shall give a brief review of coherence semantics. We begin with the definition 
of a coherence space. 

Definition 1. A coherence space X is a pair (|X|, Ox ) where |X| is a count- 
able set (the web of X, whose elements are called points of\X\) and Ox is a 
symmetric and reflexive binary relation on \X\. Two elements of |X| that are in 
this relation are said to be coherent. Otherwise they are said to be incoherent. 

A clique of X is a subset x of |X| such that, for any 01,02 G x, oi Ox 02. 
A multiclique of X is a multiset p of |X| such that |p| is a clique of X. 
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We denote by and call strict coherence relation of X the relation 

obtained from Ox by removing the diagonal. We denote by 1 the coherence 
space whose web is the singleton {*}. The set of cliques of X, that we denote 
by C{X), is a qualitative domain ordered by the inclusion order. The set of 
multicliques of X, which is ordered by is denoted by A 4 (X). 

Definition 2. Let X and Y be coherence spaces. A linear map from X to Y is 
a function f from C{X) to C(Y) such that: 

- for any x S C{X), f{x) = /({a}); 

- for any xi,X2 € C(X), if xiUx2 € C{X) then f{xi fl X2) = f{xi) fl f{x2). 

We denote by Coh the category whose objects are the coherence spaces and whose 
morphisms are the linear maps. 

Let X and Y be coherence spaces. The linear implication of X and Y is 
defined by \X ^ Y\ = |X| x |T| and 

(fli, 61) Ox^y (o2, 62) if oi Ox a-2 => Oy 62 
and oi ^x ^2 ^y ^2 • 

There is a bijective correspondence between the linear maps from X to T and 
the cliques of X ^ T. To any linear map / from X to Y, we associate its trace 
T{f) S C(X ^ T), defined by 

T{f) = {(a,6)/6e /({a})}. 

Reciprocally, to any clique t of X ^ T, we associate the linear map X{t) from 
X to T, defined, for any clique x of X, by 

J-{t){x) = {6 / 3 a S a; (a, 6) 6 t} . 

We shall indifferently use the same symbol to denote a linear map and its trace. 

We recall now the definitions of the set exponentials and the multiset expo- 
nentials. Let X be a coherence space. 

- Set of course. The points of | ! X| are the finite cliques of X. Two finite cliques 
xi and X2 are coherent in !X if, for any ai € xi and 02 S X2, oi Ox 02- 

- Multiset of course. The points of | j^X| are the finite multicliques of X. Two 
finite multicliques fxi and ^2 are coherent in j^X if Ia^iI and IAX2I are coherent 
in !X. 

We shall write ! to refer to both | and L The operation ! is a functor from 
Coh to itself which, furthermore, is endowed with a comonad structure. We 
denote by coK(!) the co-Kleisli category of the comonad !, which is a cartesian 
closed category (CCC) and, hence, is a model of intuitionistic logic (and also of 
PCF). The objects of this category are the coherence spaces and, given X and 
Y any coherence spaces, a morphism from X to T is a clique in !X Y. 
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Whenever a category has a terminal object, a point of an object in that 
category is a morphism from the terminal object to the object in question. Then, 
given any coherence space X, a point of X in coK(!) is a morphism from the 
terminal object of coK(!) (the coherence space whose web is the empty set) to 
X. This means that a point of X in coK(!) is a clique of X. Let X and Y be 
coherence spaces. The evaluation map of the CCC yields a canonical notion of 
application of a morphism from X to T to a point of X in coK(!), thus getting 
a point of Y in coK(!). In other terms, the cliques oi \X ^ Y send cliques of X 
to cliques of y in a canonical way. Let us focus on the set exponentials. 

Definition 3. Let X and Y be coherence spaces. A stable map from X to Y is 
a function f from C{X) to C{Y), such that f is monotone, continuous (commu- 
tation to directed unions) and, for any cliques x\ and X 2 of X, 

xiUx2eC{X) => /(a;i n X2) = /(xi) n /(X2) • 

Stable maps enjoy the following normal form theorem: let X and Y be co- 
herence spaces and / be a stable map from X to T; let x S C{X) and b € /(x); 
then 

- there is a xq C 1 such that xq is finite and b £ /(xq); 

- if Xq is chosen minimal w.r.t. inclusion, then it is unique. 

There is a bijective correspondence between the stable maps from X to Y 
and the cliques of \X ^Y . To every stable map / from X to T we associate, 
by use of the normal form theorem, its trace T{f) € X ^ Y), defined by 

T(f) = {{xo,b) /xo e C{X) A 6 6 /(xo) A Vy C *0 (6 £ f{y) ^y = xo)} . 

Reciprocally, to any clique t of \X ^ Y we associate, by use of the evaluation 
map of coK( ! ), the stable map X{t) from X to Y , defined, for any clique x of 

by 

T{t){x) = {b / 3x0 £ 1 1^1 (xoi b) &t A xq C x} . 

In fact, X is & functor from coK( ! ) to the category whose objects are the 
coherence spaces and whose morphisms are the stable maps; 7” is a functor going 
in the opposite direction. And it holds that, for any stable map / from X to Y 
and for any clique t of | X ^ F, 

nnf)) = f and T{Ht))=t. 

We shall indifferently use the same symbol to denote a stable map and its trace. 

Observe that all linear maps are stable. Furthermore, given any coherence 
spaces X and Y , there is a bijective correspondence between the linear maps 
from X to Y and the stable maps from X to Y such that 

- /( 0 ) = 0 ; 

- if xi U X 2 £ C[X) then /(xi U X 2 ) = /(xi) U /(X 2 ). 
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Stable maps are naturally ordered by the set inclusion of traces. This order, 
denoted by is called stable order or Berry order and has the following 
functional counterpart: let X and Y be coherence spaces; let / and g be stable 
maps from X to Y; then 

/ 5 iff Wx,y € C{X) {xUy eC{X) ^ f{x ny) = f{x) ng{y)) . 

For more information on the coherence spaces denotational semantics of lin- 
ear logic, we refer to [4,8,6]. 

Let us now go back to the multiset exponentials. Let X and Y be coherence 
spaces. By use of the evaluation map of coK(j^), we associate to each clique t of 
j^X ^Y a function from C{X) to C{Y), sending a clique a; of X to the following 
clique of Y : 

{b/3fj,oe\lX\ ifJ.o,b) et A \yo\ Cx} . 

But this kind of functions does not enjoy a normal form theorem allowing to 
recover the underlying structure of clique. In fact, several cliques may correspond 
to the same function. Indeed, if we take the two cliques {([*], *)} and {([*, *], *)} 
of j^l 1, one may easily check that, by use of the evaluation map of coK(j^), 
they have the same functional behavior. This means that the category coK(j^) 
does not have enough points to sort its morphisms (it is not well pointed). 

3 Convex and multiplicative maps 

We start by the definitions. 

Definition 4. Let X, Y be coherence spaces. A convex map from X to Y is 
a function f from M.[X) to A4(Y) such that, for any /r, i/, p £ A4{X) obeying 
pL -\- p, -\- p (z A4(X), 

=> fih- + p) + f{i^) ^ f{p) + f{i^ + p) . 



Definition 5. Let X, Y be coherence spaces. A multiplicative map from X to 
Y is a function f from M.[X) to M{Y) such that, for any p,v £ M.[X), 

P + v£M[X) =A f[pv) = f{p)f(y) . 

In fact, our main purpose in this section will be to prove that convexity and 
multiplicativity, together, imply continuity. We first observe the following. 

Lemma 2. Let X, Y be coherence spaces and f a function from A4(X) to 
M(Y). If f is convex and multiplicative, then f is monotone. 

We shall now place us in the conditions of Lemma 2. Since the referred lemma 
yields that / is monotone, then, for any p,v, p £ M.{X) such that p + p £ A4(X) 
and V + p £ j\4(Y), we have that 



/(m) ^ /(m + P) and /(b) ^ f{y £■ p) . 
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Therefore, / is convex and multiplicative if, and only if, / is monotone, multi- 
plicative and obeys, for any G M{X) such that p, + p,v + p G A4(X), 

=> f{p + p)~ f{p) ^ f{i^ + p)~ fi’^) ■ 

This means that the increment of / grows with its argument, whence the term 
convex. 

Let X be a coherence space. Observe that A4(l) = IN and, then, it makes 
sense to speak of the multiplicativity and the convexity of the functions from 
M{X) to IN. We shall now state some of their properties. 

Lemma 3. Let X be a coherence space and f a function from M-[X) to IN, 
convex and multiplicative. Let p be an infinite multiclique of X such that p^ = p 
and f{p) = 1. Given any p Gi p, if f{p -I- p) > 1, then there exists a G p such 
that f {p -I- a) > 1. 

Proof. Observe that, since p p, the multiset p is actually a set (that is p^ = p). 

We shall first consider the case in which p is finite. Since p^ = p we can write 
p = fli a„ with Oi 7 ^ Oj , for any i,j G {1, . . . , n} such that i ^ j. Iterating 

Lemma 1 and using the fact that / is multiplicative, we get 

n 

f{P + P) =Y[f(t^ + “i) • 

i=l 

But, by hypothesis, f{p -I- p) > 1 and thus, for some i G {1, . . .,n}, we have 
f{p + Oi) > 1, which proves the lemma for the finite case. 

Let us now assume that p is an infinite set. Since |X| is countable, so is p. 
Let (ai)ig]N+ be an enumeration without repetitions of p. Let u be the multiset 
such that \v\ = p and v{ai) = i for every i G IN'*’. 

For every N G IN'*’ we define the multiset vjq by 

, . { N if 1 ^ ^ ^ 

^N{a) otherwise . 

so that clearly \i/n\ = p. One may easily check that, for any N G IN'*', ^ Np, 

and then, since, by Lemma 2, / is monotone, it holds that f^p-Gvjq) ^ f(p+Np). 
We shall now prove, by an induction on £ IN'*', that f{p -I- Np) ^ N. For 
= 1, this property holds as we have assumed f{p + p) > 1. Let us now assume, 
as inductive hypothesis, that f{p + Np) ^ N. Since p ^ p + p, the convexity of 
/ yields that 



f{p + Np) f{p + p)^ f{p) -k f{{p + p)+ Np) . 

By hypothesis f{p) = 1 and f{p + p) > 1, which entails that 
f{p + Np) + 2Gil + f{p + {N -k l)p) . 

We finally apply the inductive hypothesis to get that f{p + {N + l)p) ^ N + 1. 
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We have shown that, for any N G IN'*', /(^ + ^ f{fi + Np) and f{p + 

N p) ^ N . Hence, it holds that 

for any G IN, f{p + v^) ^ N . 

Let us define, for every N G IN"'’, the following multisets 

vn = Oi and vn = o,i 

l^i^N i>N 

which are such that vnvn = 0 and p = Djv + !>jv. Since p^ = p and \v\ = \vn\ = p, 
one may easily check that vp = u and vnP = which entails 

V = vvjq + vvjq and vjq = vn^n + i^n^n ■ 

Since we have that {vvn){vvn) = 0 and [yNVN)(yi^vi^) = 0, we are in the 
conditions of Lemma 1 and we get: 

p + V = p + vi'N + vvn = (m + vi'N){p + vvm) ; 

p + VN = p + vnvn + vnvn = (m + vnvn){p + vnvn) ■ 

By inspecting the definition of vn one immediately deduces that, for every 
N G IN+, vvn = vnI'n, and then, trivially, f{p + vPn) = f{p + ’^n^'n)- Let us 
suppose that, for every N G IN'’", we have f{p + vi'n) = f{p + i^n^'n)- Then, 
since / is multiplicative, for every N G IN"'' it holds that f{p + v) = f{p + 

But we have shown that, for any N G IN"'’, f[p-\-viq) ^ N , and this entails that, 
for every N G IN"'', f{p + i/) N, which is in contradiction with the fact that 
f{p + v) is finite. 

Then there exists Nq G IN"*' such that f{p + vvnq) ^ f{p + ^No^Nq)- But 
vno^No = NoUNg, hence vv^g ^ Nov^g, so, given that / is monotone with 
f{p) = 1, we have f{p + Nov^g) > 1. Let us define po = Nov^g, which is finite, 
since i>No is finite. Furthermore, we know that | DjVo I ^ I i'Nq I = P; which entails 
IpoI P- But, by hypothesis, p ^ p and, therefore, |po| ^ P- 
Since p ^ p + po, the convexity of / yields that 

f{p + {Po + IpoD) + f{p + Po) ^ f{p) + fiip + Po) + {po + IpoD) ■ 

But / is monotone and, therefore, f{p + (po + |po|)) ^ f{p + Po) which entails, 
since f{p + po) > 1; that f{p + {po + I Pol)) > 1- Then, the convexity inequality 
above implies 

1 + /(P + Po) < /(p) + /(p + 2po + IpoI) , 
which amounts to f{p + po) < f{p + 2po + |po|)- Observe that 

(p + Po)(p + IpoI) = P^ + pIpoI + PoP + PoIpoI = P + 2po + |po| , 

hence 

/(p + Po) < /(p + po)/(p + IpoI) , 

which amounts to /(p + |po|) > 1- Since po is finite and |po| ^ p, we are back to 
the finite case we have treated in the first place, and this ends the proof. □ 
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The previous lemma is the key to continuity. Indeed, it shows that when the 
output of / increases, it is possible to find at least one point in |X| which is 
responsible for a non zero part of that increase. But, due to multiplicativity, 
there can be only finitely many such points. And we have the following lemma. 

Lemma 4. Let X be a coherence space and f a function from A4{X) to IN, 
convex and multiplicative. Let p, be an infinite multiclique of X such that pL^ = p. 
and f{pi) = 1. Then, there exists pig ^ fi such that piQ is finite and f{fio) = 1. 

4 Prom cliques to functions 

Let X be a coherence space and pi, piQ be multicliques of X, such that piQ is 
finite. Then, given that, for any n S IN, = I, the product riae|x| is 

well-defined and we have 

n n 

Furthermore, this product is equal to 0 if, and only if, there exists a S |/ro| such 
that pif^°{a) = 0, or, in an equivalent way, pi{a) = 0 and pio{a) ^ 0 (since 0° = 1), 
which means that |/ro| ^ /r. And this shows that 

n iff 

ae\x\ 

Let T be a coherence space and t S C{j^X -<> Y). Let [pi^, b), {vq, b) G t such 
that 

pi^°{a)^0 and 

Then, we have that |/ro| ^ pi and \vo\ ^ pi, and thus piQ vq- But 

{piQ, 6) O j ^ b), which entails that piQ = vq. Therefore, for any pi G A4(X) 

and b G |T|, there is at most one multiclique piQ of X such that 

{pio,b)Gt and pi^°{a)p^0. 

ae\x\ 

This entails that, for any pi G Ai{X), the sum 
is, trivially, well-defined. 

We shall now prove that this sum is a multiclique of Y. Let 6i, 62 G |T| such 
that there are pii, pi 2 £ M.[X) obeying [pii, 61), {pi 2 , 62) G t and 

pi^^{a)^Q and pi^^{a)^Q. 
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Then, we have that |^i|,|^2| ^ and thus Oj^ A^2- Therefore, since 

(Mi> ^i) O I (a* 2, ^2), it holds that bi Oy 62. 

We are now in conditions of giving the following definition. 

Definition 6. Let X and Y be coherence spaces and t G C {1 X —o Y). We define 
T(t), a function from A 4 {X) to A 4 {Y), as follows: 

mii^)= E ( n 

And we have the following proposition. 

Proposition 1 . tF is a functor from coA(j^) to the category whose objects are 
the coherence spaces and whose morphisms are the convex and multiplicative 
maps. 

5 The normal form theorem 

We shall start this section by a simple exercise. 

Lemma 5. Let f be a function from IN'*’ to IN'*’, monotone and multiplicative. 
Then there is a natural number, k, such that, for any n £ IN"'’, /(n) = n^. 

Proof. Let n € IN"'’ such that n > 1. For any p £ IN we define Qp £ IN in the 
following way 

which obeys 2 '^’’ ^ < 2'^’’"'"^ . 

Using the fact that / is monotone and multiplicative we get that 

/(2)«>> < f{n)P ^ /(2)«'>+i . 

We apply the logarithm function to the inequalities above and we get 

Qplog2 ^ plogn < {qp + l)log2 , 

Qp log /(2) ^ P log f{n) ^ (qp + 1) log /(2) . 

Since n 7^ 1, we then have that 

gplog/(2) ^ log/(?^) ^ (gp + l)log/(2) 

(gp + l)log2^ logn ^ 9plog2 

which is valid for any p £ IN'*". Therefore, we can take the limit of the inequality 
when p goes to the infinity and we obtain, since qp goes to the infinity with p, 

= t where = 

logn log 2 



qp = 



logn 

^log2 
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and then we clearly have that, for any n G IN''' snch that n > 1, f{n) = . 

Bnt / is multiplicative which means, in particular, that /(l)^ = /(I) and, 
since /(I) G IN''', /(I) = 1. Then, for any n G IN''', 

f[n) = . 

For any n G IN''', we must have G IN''', which implies that fc S IN (this is 
a known result of number theory). □ 

And, with this lemma, we are able to prove the normal form theorem. 

Theorem 1. Let X and Y be coherence spaces. Let f be a convex and multi- 
plicative map from X to Y . Let v G M.{X) and b G \f{v)\- Then, there is an 
unique piQ G A4(X) such that |/ro| ^ v, pLo is finite and, for any pL G A4{X), 

p-Gpo&M{X) => f{p){b)= 

ae\X\ 

Proof. Let be the function from Ai{X) to IN defined, for any p G Ai{X), by 
fb{p) = f[h)ifi). Observe that, since / is convex and multiplicative, so is fi. 

It is easy to prove that that fb{W\) = \ fb{^)\ and, given that, by hypothesis, 
b G \f{r')\, we have that fb{\i^\) = 1- Then, by Lemma 4, there is a ^ W\ such 
that vq is finite and fb{vo) = 1 - Observe that Vq = vq- 

If Vq is minimal, it is unique (by multiplicativity of /); we suppose it is the 
case. 

For every a G vq, let f§ be the function from IN''' to IN''' defined, for any 
n G IN''', by 

fb{n) = fb{vo + {n - l)a) . 

Since fb is convex and multiplicative, then, for every a G vq, fjf is convex and 
multiplicative, and therefore, by Lemma 2, fjf is also monotone. Lemma 5, then, 
yields that, for every a G vq, there is a fca G IN such that, for any n G IN''', 

n{n) = n’^^. 

Moreover, the minimality of vq and the convexity of / entail that, for all 
a G Vq, the natural number ka is different from 0. 

Let p G A4(X) such that vq ^ p. By multiplicativity of /, 

fb{vQp) = fb{vo)fb{p) = fb{p) ■ 

As Vq ^ p, 

vqP = ’^ 0 +'^ (m(o) - 1) a . 

a£vo 

Then, iterating Lemma 1, we get that 

vq+'^ (p{a) - 1) a = tt ( + (m(o) - l)a ) 

aGuo aGuo 
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and by multiplicativity of fb again, we have 

fbiyo^i) = fb{vo + - l)a) 



and, equivalently, 

fb{y) = n fbiKa)), 

a£vo 

which finally yields that 

/h(M) = n • 

a£vo 

Let /xo G M-{X) be defined by ^o{a) = ka ii a € vq and ^o{a) = 0 otherwise, 
so that I /To I = vq. By construction we have that |/ro| ^ v, fj^o is finite and, for 
every fi G JH(X), 

ImoI ^ M ^ /(m)W = n 

aG|X| 

Now we need to check that, for every G M{X) such that ^ G M{X) 
and I/tqI ^ /r, it holds that f{y){b) = 0. 

Let /r be such a multiclique and let us assume that f{fi){b) ^ 0. Then, we 
have shown that there is a finite multiclique /Tq G Ad(X) such that |/Tq I < 
and, for every p G Ai(X), 

IMoI ^ P ^ /(p)W = n 

ae\x\ 

Clearly, po + pg G M.[X). Let be an enumeration without repetitions 

of the clique |^o + Pol ^ ^ M{X) be given by |^| = |^o + Pol) 

^(oi) = Pi, the i-th prime number. 

Since |/xo| ^ ^ and |/Tq| ^ we have 

n n 

that is 

n n 

i=l i=l 

Hence po = Pq, and we have a contradiction. 

The same argument shows that the multiclique po whose existence is stipu- 
lated by the theorem is unique. 

□ 

Once we have the normal form theorem, we may define the trace of a convex 
and multiplicative map. 
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Definition 7. Let X and Y be coherence spaces and f a convex and multiplica- 
tive map from X to Y . The trace of f, l~{f), is the following clique of ^X — ° Y : 

T'if) = {{To,b) / fj .0 & M{X) A pLo is finite A 6 S |/(^o)| A 

^fi€M{X) ipi + pio€M{X) /(m)( 6)= n 

ae\x\ 

Finally, one may easily prove the following proposition, which expresses in a 
categorical way the bijective correspondence between the morphisms of coK(j^) 
and the convex and multiplicative maps. 

Proposition 2. 7” is a functor going in the opposite direction oftF. And it holds 
that, for any multiplicative and convex map f from X to Y and for any clique t 
oflX^Y, 

nnf))=f and T{T{t))=t. 

6 Some remarks 

We have seen that linear maps are particular stable maps. There is a similar 
result for convex and multiplicative maps. 

Proposition 3. Let X and Y be coherence spaces. Let f be a convex and multi- 
plicative map from X to Y . Then, f is a linear map iff, for every fi,v G Ai{X), 

^i + v e M{X) => f{fi + v) = fin) + f{v) . 

The Berry order for convex and multiplicative functions is, obviously, defined 
as follows. 

Definition 8. Let X and Y be coherence spaces. The Berry order on the convex 
and multiplicative functions from AA(X) to A4(Y), which we denote by ^b, is 
defined, for any such functions f and g, by: 

f^Bg iff r{f)cT{g). 

And, as for the set exponentials, the Berry order has a functional counterpart. 

Proposition 4. Let X and Y be coherence spaces. Let f and g be convex and 
multiplicative functions from A4{X) to A4{Y). Then 

f g iff € M{X){p.-\-v € M{X) ^ f{p,v) = f{p,)g{v)) . 

Our approach presents a discrepancy which may have puzzled the reader. The 
traces of our morphisms are cliques, but as functions, these morphisms act on 
multicliques. A natural generalization would be to allow arbitrary multicliques 
as traces of morphisms. Furthermore, such an approach would also be closer 
to Girard’s quantitative semantics, since the monomials of his “formal series” 
(which correspond to the elements of our traces) have coefficients. 
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Given a multiclique t of —o Y and a multiclique fj, of X, how could we 
generalize Definition 6 to define as a multiclique of Y7 The answer is, 

obviously, 

T-{no,b)iY[ nf^°{a))b. 

ilJ.o,b)e\lx^Y\ “^ 1^1 

Indeed, in the particular case where t is a clique, this formula coincides with 
the formula of Definition 6. These functions are convex but fail to be multi- 
plicative, and we have to introduce a notion of weak multiplicativity in order to 
characterize them. 

In the complete version of the paper we consider the category Coh(IN''’), 
whose objects are the coherence spaces. In that category, a morphism from a 
coherence space X to a coherence space T is a multiclique t of j^X Y such 
that |r| is a linear map. This corresponds to the parameterization of Coh by the 
monoid (IN"'’, I, x), in the same way it is done in [7]. 

We finally prove that the co-Kleisly category of the comonad ! in Coh(IN''') 
is isomorphic to the category whose objects are the coherent spaces and the 
morphisms are the convex and weakly multiplicative functions. Observe that, 
in that co-Kleisly category, a point is a multiclique and, therefore, since the 
morphisms act on multicliques, the category is well pointed. 
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Abstract. In existing game models, total functionals have no simple 
characterization neither in term of game strategies, nor in term of the 
total set-theoretical functionals they define. We show that the situation 
changes if we extend the usual notion of game by allowing infinite plays. 
Total functionals are, now, exactly those having a tree-strategy in which 
all branches end in a last move, winning for the strategy. Total functionals 
now define (via an extensional collapse) all set-theoretical functionals. 
Our model is concrete: we used infinite computations only to have a nice 
characterization of totality. A computation may be infinite only when 
the input is a discontinous functional; in practice, never. 



1 Introduction 

Games and strategies have emerged as useful tools to model interaction, with 
applications both to logic and to the theory of higher type functionals. 

We address the problem of characterizing total functionals in game theoretic 
models. A natural conjecture is that a functional is total if and only if it is 
the extensional counterpart of some winning well-founded strategy. This would 
mean that a total functional can always be described via strategies whose plays 
eventually end, after finitely many steps, in some move by the Player, which 
Opponent cannot reply to. 

We prove, however, that this is the case only (and exactly) for Tait-definable 
functionals, and that some interesting computable total functionals have infinite 
branches in any strategy defining them. This calls for a generalization of the 
notion of play to ordinal sequences of moves (possibly of transfinite length), 
and for a proper notion of winning strategy. Later, we will remark that infinite 
plays arise only in the application of a functional to some discontinous functional. 
Hence transfinite plays are relevant to have a nice characterization of total maps, 
but they cannot arise in practice. 

In the literature game theoretic concepts have been proposed to construct 
models of lambda calculi, by extensionally collapsing certain sets of strate- 
gies. There have been two proposals: the first one is based on the idea of 
history- free strategies [3]; according to the second one players move depending 
on “views” of the play: these are called dialog games and innocent strategies, as 
defined in [10,11]. 
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In [7] an apparently different notion of game, originally introduced by 
Novikoff, is used to give an intuitionistic explanation of the classical notion 
of truth. As it will be explained in sections 2 and 3 of the present paper, dia- 
log games and Novikoff-Coquand games are closely related: the former can be 
obtained from the latter by distinguishing between question and answer moves, 
and by imposing Gandy’s “no dangling question” condition (no computation 
may end before all its sub-computations ended). 

In all cases quoted above strategies produce either finite plays, or non- 
terminated plays of length lo. This is not necessary, at least in the case of 
strategies depending on views (called “innocent strategies” in [10]), since a gen- 
eralization of dialog games to plays of transfinite length has been achieved in [5] . 
As we pointed out in the abstract, in this way all total set-theoretical functionals 
become naturally definable via strategies in which all branches end (maybe after 
infinitely many steps) in a last move, winning for the strategy. 

We do not loose concreteness of the game interpretation: transfinite plays 
may arise only as the effect of the application to discontinuous arguments. Yet, 
transfinite branches are necessary even to represent some computable function- 
als. 

To substantiate this claim, we provide two type 3 examples of functionals, 
taken from Kreisel Realization model of the Analysis. They require strategies 
with transfinite branches; but, if their arguments are hereditarily continuous 
functionals, the resulting play is always finite, and it is recursive if the arguments 
are. 

The plan of the paper is as follows. In section 2 we introduce the basic de- 
finitions of transfinite dialog games. Then, in section 3, we specialize games to 
functional games. In section 4 we characterize total functionals, as promised. 
In the same section, we characterize total functionals definable via well-founded 
strategies as the Tait-continuous functionals. Finally, in section 5, we prove that 
this class does not contain even all “computable” total functionals: in partic- 
ular certain type 3 realizers for Classical Second Order Arithmetic cannot be 
described via well-founded strategies. 

Because of lack of space, almost all proofs have been omitted. 

2 Games with transfinite plays 

In this section we introduce Coquand’s notion of game, as generalized in [5]. 

We want games able to model computation consisting of questions/answers 
(or dialogues) between two process. The first question is the input value, its an- 
swer is the output value, and it ends the dialogue. During the dialogue, processes 
alternate: each process answers to some previous question of the other process. 
The answer may be another question (concerning the value of a subcomputa- 
tion); or it may be the final value of a (sub)computation. 

We fix a trivial example we will use through the paper. Let F : (iV iV) — 
N , and f : N ^ N. Assume /(O) = a, /(I) = b, f{2) = c. We will describe 
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the computation of F{f) = /(O) + /(I) + /(2) as a dialogue between a process 
F and a process /. First, / asks ”-F(/) =?” (asks F for the value of F{f)). F 
answers by asking '' f{x) =?” (by asking / for the value of f{x) in i = 0; /, in 
turn, answers ”x =?” (asks F for the input value x). F answers by ”x = 0!” 
(by sending an input value 0 to /); now / answers F’s original question, by 
”/(x) = a!” (by returning the output value a of /(x) in x = 0). 

The same questions and answers are used to compute /(I) and /(2). Even- 
tually, F may answers /’s first question: ”F{f) =?”, by returning (a -I- 6 -I- c). 
This ends the dialogue. 

We will model processes by players, whose goal is always to provide an answer 
to other player’s questions. The first player unable to answer looses. Game rules 
fix a possible set of answers to each question. Computations are represented by 
plays which follow the rules of the game. A winning strategy will model a total 
functional, while a strategy which may loose will model a partial functional. We 
will define strategies at the end of this next section. Before we will formally 
define Coquand’s games and plays. 

Definition 1. A game is a 5-ple G = {A, B, M, R, ttiq) such that: 

1. A, B are the names of the first and the second player; 

2. M is a set, whose elements are the moves of G; 

3. R C M X M is the set of rules of G: (m, m') G R, also written mRm' , reads 

as “m' is a legal reply to move m”; 

4- mo £ M is the starting move. 

We assume the relation R having finite depth: there exists k < uj such that, 
if moRmi ■ ■ ■ mn-iRmn, then n < k. 

In our example, A and B are the processes / and F. M is the set of possible 
questions and answers between any two F : {N N) N, and f : N ^ N, 
that is: F{f) =?, F{f) = i\, f{x) =?, /(x) = j!, /(x) = fc!. We list now a coding 
for the elements of M. 

1. mo =?£ is F{f) =?, the first question of the game, of / about the value 
of F{f). 2. The possible answers of F to ?£ are: the answer \i, or F{f) = i!” 
consisting of the output value i € N for F, and another question, ?1, or /(x) =?, 
of F to /, about the value of /(x). 3. The possible answers of / to ?1 are: the 
answer \l.j, or /(x) = j!, consisting of the output value j & N oi /(x), and the 
question ?1.1, or x =?, of / to F, about the value of its input x. 4- The only 
possible answers of F to ?1.1 are ?l.l.fc, or x = fc!, consisting of a value k € N 
for X. (In the next section, we will describe more in general a coding for the 
elements of M). 

The relation R(m,m') on M, or ’’game rule”, describes the set of all m' 
which are a correct answer to m: in our case, according to what said, we have 
i?(?£. If), R{le, ?I), F(?I, ll.j), F(?I, ?I.I), F(?I.I, ll.I.fc). The height of R is fi- 
nite (equal to 3). 

The next step will be to introduce first ’’generic” plays, and then specialize 
them to the particular notion of play we will use: ’’Novikoff plays”. 
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Definition 2. A generic play of the game U above is a triple p = {I,r,m(^ '^) 
such that: 

1. I, called the carrier set, is a non-empty well-order (total and well-founded), 
with minimum 0/. Its elements are the indexes of the moves of the play p. 

2. r : I — {0/} I is a map, such that r{i) < i for all i G I . r is called the 
replay map; r{i) denotes (the index of) the move to which the move with 
index i answers to. Thus, r(0) is undefined. 

3. m(^ y. I ^ M is a map, associating to each index i G I a move mi G M of the 
play, having such index. We ask moreover that R{mi,mj.(^i)) (that whenever 
a move answers to another one, then it is a correct answer to it) 

In our example, the whole play has 14 moves, and index set 7 = {0 . . . 13}. 
The moves are: mo =?£ (or F{f) =?), mi =?1 (or f{x) =?), m2 =?1.1 (or 
X =?), m3 =!l.l.O (or X = 0!), m4 =!l.a (or f{x) = a!), ...The last move is 
mi 3 =!(a -|- 6 -|- c), or F{f) = (a -|- 6 -|- c)!. The reply map r keeps track to which 
move answers each move: we may check that its values are: r(l) = 0, r(2) = 
1, r(3) = 2, r(4) = 1, . . . (the move 4 provides the value of f{x) in a; = 0, hence 
it answers to the move 1). Remark that r(13) = 0 (the last move provides the 
value of the whole computation, hence it answers to the move 0). 

We will now define a map turn : I {A, B}, telling which player is on turn 
at a given step. Since r{i) < i for i > 0, we have r"(i) = 0 for a unique n G N. 
The player on turn on 0 is ^ by the rules of the game, and the player on turn 
on r(i) is the opponent of the player on turn on i. Thus, we may define turn as 
follows: turn(j) = ^ if the first n such that r”(i) = 0 is even, and turn(i) = R if 
such an n is odd. 

The last step is to restrict the set of plays we allow by introducing the 
notion of visibility. Visibility models the memory of the computation (which 
past moves may be used by a player to decide the next move, or which moves 
may be answered). We follows Novikoff and Coquand, and we decide to assume 
that each move between a question in j = r{i) and its answer in i are invisible 
for the player who got the answer. The reason is that we think of the moves in 
]j, i[ as a subcomputation, with input the question in j, and output the answer 
in i. And we want to model any computation by a ’’black box”, with only visible 
points the input and the output, as real computations are. Thus, the player 
who sent the input in j and received the output in i should see nothing else in 
between. 

Let U = turn(fc). We may express Novikoff-Coquand by requiring: 1. each 
segment [0,i[ of the play is split into a partition made of segments [r{k),k] 
(r{k) = question oi U, k = answer of his opponent); 2. the only visible moves, 
by U from i, are the endpoints {r{k),k} of such segments; 3. r{i) = k for the 
last point k of one of such segments. This latter requirement means that U , in 
i, replies to some visible answer of his opponent. We will now formalize the idea 
above into definition of Novikoff play. 

Definition 3. — We associate to any i G I a segment by S{i) = [0, 0] ifi = 0, 
S{i) = [r(i),i] ifi > 0. We call S{i) an R-segment: it is the segment 
of moves between the move i answers to (if any), and i itself. 
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— We say that {S{k)\k gV} is a ’’black box structure” over I if it is a partition 
of I. We call the set V above, consisting of the last points of the segments 
S{k), a visibility set over I . 

— We say that p = (/, r, m(.)) is a Novikoff play if there is a map V {.) : I ^ 
p{I) such that, for all i G I, V (i) is a visibility set over [0, i[ and r(i) G V{i). 

Starting from the sets V{i), we may formalize the visibility predicate 
Vis(17, (to be read is visible by player U at f”), by Vis(turn(^), 

C e V C-riV (0 - {0}) and, if [/ = turn(r(^)) ^ turn(^), Vis(turn(i), I, ^ 
C = r(^) V Vis(t7, r{^),(). The first definition expresses that V(^) Ur(y(^) — {0}) 
is the set of endpoints of the ’’black box structure” associated to ^ and to the 
player on turn on The second definition expresses the fact that no move in 
is visible by the the player U on turn on r(^). This is because the seg- 
ment starts by a question by U, and ends by the answer of the other 

player. Thus, according to our assumptions, its interior is invisible by U . 

The view of U on p at ^ is the set 

view(f7,p,C) = {C I Vis(f7,^,C)}- 

The main result about Novikoff plays is the following (proved in [5]): 

Theorem 1. 

Let p be any Novikoff play. Then all one- step extensions of p have, in their last 
move, the same visibility set and the same player on turn. 

Because of 1, if a play p of length a can be extended, it makes sense to speak 
of the player on turn at a-th step: abusing notation we simply write turnp(a). 

The theorem 1 is easy to prove when I has a successor length, but difficult 
when I has a limit length. Herbelin [8] remarked that the case length(/) = uj 
is elementary equivalent to Tait’s normalization result for w-logic. As an easy 
corollary, the visibility assignment V{.) : I ^ p{I) such that r{i) G V{i) for all 
i > 0, if it exists, it is unique; and l^(i), turn(i) are uniquely determined by r 
restricted to [0, i[. Thus, in principle, we could just say that a play is Novikoff, 
without quoting the map V{.) : I ^ p{I)^ since this map is unique. 

Our example of play is a Novikoff play. We will now write down, for each 
move, a row with all visibility informations for the player on turn. Moves visible 
by the player on turn will be marked ” v” , or ” v ” for the moves of his opponent, 
forming the visibility set. Invisible moves will be marked ” i” . We call the process 
F ”P” (for ’’Player”), and process / ”0” (for ’’Opponent”). 
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Remark that move 13 cannot see, for instance, the moves 2, 3. The reason 
is that such moves are in the interior of the i?-segment [1,4], that is, of the 
subcomputation with question f{x) =? and answer f{x) = a!. Thus, moves 2,3 
are, for the player on turn on move 13, inside a ’’black box”, hence invisible. 

In the case of finite pre-plays, we may prove that the set view is the visibil- 
ity set of view-strategies (called “innocent” in [10]), having a simple inductive 
definition: 



,,, f {z — 1} U view(17,p, i — 1) if turn(i) = 17 

view(C/,p, z) - I ^ view(C/,p, r{i)) if turn(i) ^ U. 

This is the standard notion of visibility in dialog games: it is defined in this 
way both in [10,11] and in [7]. the case of plays of possibly transfinite length has 
been considered for the first time in [5], from which we borrow the axiomatic 
definition of Vis. Definition above does not tell, explicitly, who is the player on 
turn at a limit point A S 7, nor his views. The main theorem 1, however, states 
that r restricted to [0, A[ uniquely determine the turn and the view at point A. 

This ends the introduction of Novikoff plays. In the remaining of this section, 
we will introduce strategies. In the next section, we will use them to model 
functionals. 

To define strategies, concepts and terminology about certain parts of plays 
are in order. First, if ^ / then p\^ (a prefix play of p) is the (pre) play whose 

carrier set is [0, ^[, whose r, m(.) are the restrictions to [0, ^[ of those of p. More 
in general if J C / then p\J is the structure (J, r' , where r' , ^ come from 

r,rri(^ p by restricting them to J. 

Given a play p we can choose J such that p\J is closed under the reply 
function and has the structure of a play, but it is not such for trivial reasons: 
e.g. because its first move is not mo; or it is played by P. To define the notion of 
subplay without being too restrictive we introduce the notion of play morphism 
(see also [10]). 

Definition 4. If p and q are (pre) plays, with carrier sets I, J , then <p : p ^ q 
is a play morphism if it consists of a pair of maps {ifo, ipi) such that (po ■ I ^ J 
is strictly increasing and ipi : {O, P} {O, P} is identity or exchange, and for 
all f < a: 



turn,((po(C)) = :pi(turnp(^)), rq{<po{£,)) = <po{rp{0)- 

The image ip[p] in q is a subplay of q. 

The subplay <p[p] of q has the same structure of p, and its reply and turn 
functions are rq\(po[a] and turng[ipo[7] (where po[I] is the image of / in J 
via <po)- 
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Proposition 1. If ip[p] is a subplay of q, then I = y;o[length(p)] is such that: 

1. if € I are such that f < C there exists no r] € I such that f < rj < C,, 
then turn(^) turn((^); 

2. I and r[I \ {min(7)}] C I; 

3. for any f G I, if I' = {C, G I \ ( < f} then I' fl view(turn(^), g, is cofinal 
in I' . 

Vice versa, if I G length(q) satisfies the above conditions, then q\I is a subplay 

ofq- 

A pre-play is U -cut free, for 17 S {O, P} if 

^ > 0 A turn(^) ^ 17 ^ = r(^) -I- 1, 

namely if the opponent of U is forced to reply to the last move of U. 

17-cnt free (pre) plays is the terminology of [7]. If a pre-play has finite length 
then the previous definition is a generalization of [11], definition 3.1.3. Observe 
that in a 17-cut free pre-play, U is the unique player allowed to play at limit 
points. 

Any view determines a subplay (but not vice versa), i.e. any non empty 
I = view(17, 5 , satisfies the conditions of 1. Such a q\I is a 17-cut free play 
which, with overloaded terminology, we call the U-view of q at Also / U {^} 
determines a subplay <?[(/ U {^}), which we call ’’large 17-view”. 

We say that player U is deterministic on a play p if for all C < length(p), 
if turn(^) = turn(C) = U and p[view(17,p, isomorphic to p[view(17,p, C) (i-e., 
that they are the same up to renaming of the elements of the carrier sets) then 
the lare [/-views of are isomorphic, too. A play p is a deterministic play if 
both players are deterministic on p. 

Definition 5. A strategy s for player U over a game U (shortly an U-strategy) 
is a tree (i.e. a prefix closed set) of U -cut free plays ofU such that, for allp G s 
with a = length(p).- 

1. if turn(a) = U then there is at most one q G s of length a -I- 1 such that p is 
a prefix of q; 

2. ifturn(a) U (hence a is a successor) then for any m G M which is a legal 
reply to Pa-i, i.e. such that pa-iRm, there exists q G s of length a -I- 1 such 
that p is a prefix of q, q^ = m and rg{a) = a — 1. 

Player U follows the strategy s in the play q if for all f < length(g) the large 
[/-view p of 9 at ^ belongs to s, up to renaming of the carrier set. Clearly U 
follows some strategy in q if and only if U is deterministic on q. 

The main consequence of Theorem 1 w.r.t. strategies is the cut-elimination 
theorem: 

Theorem 2 (Cut-elimination [5]). Let s be a P -strategy and t an 0-strategy 
such that the heights of s and t are bounded above by some infinite regular ordinal 
K. Then there exists a unique play p of maximal length such that P and O follow 
the strategies s and s' respectively, and length(p) = a -I- 1 < k. 
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This play has successor length, hence it has a last move; the player who did 
the last move won. Therefore any two strategies s and t, for Player and Opponent 
respectively, determine a winning player. 



3 Sequential functionals of finite type 

The present section specializes dialog games to games and strategies represent- 
ing functionals. In this case the role of Player is to show that a functional Fg , 
associated to the strategy s, is defined against the arguments . . . , Ft^: if s 
wins against ti, ... ,tk then either some U misses a move or the resulting play 
has a last move Iv such that Fg{Ftj^, . . - ,Ft^) = v. Therefore winning strategies 
(i.e. strategies such that the player who follows them is always able to play a 
move, when on turn) naturally induce total functionals. 

We base our treatment on [ 11 ]. Admittedly formalizations based on the cate- 
gorical semantics of linear logic, as it is the case of [ 6 , 2, 3, 1,9], have the advantage 
of being compositional with respect to the type structure, which is not the case 
of the present one. However the actual description of strategies seems more direct 
in a formulation which does not make use of the decomposition of the function 
space bifunctor into linear implication and the comonad “!” . Perhaps the best 
thing would be a compromise between the two, which is still on demand. 

Let F = { 70 , 71 , . . .} be a set of ground types, and T{F) be the set of simple 
types over F. We fix an interpretation of types in T as a set of values V = 

U{^^7 I 7 e n- 

Any type has the form t = ti ^ {rk ^ 7 )) GT{F), and is abbreviated 

by (ti, . . . , Tfc j). The set of occurrences of r, Occ{t) is defined inductively: 
e G Occ{t) and = 7 ; if 1 < i < fc and a G Occ(r,) then i.a G Occ{r) and 

Ti.a — 

To each type r it is associated a game Gr as follows. 

Definition 6. For r G F{F), Gr is the game {Mr, Rr, ?e) where: 

1. Mr = {?a, la.v \ a G Occ{t, v G 17y, for 7 last atom in Ta\; 

2. Rr is the least binary relation over Mr such that: 

{Rl) a.i G Occ{t) ^laRrla.i, 

(R2) a G Occ(r) A Tq = 7 A u £ Viy ^laRr\a.v. 

In Mr moves of the form la are queries for the output value of a functional of 
type Ta, applied to all its arguments; moves of the form \a.v are the corresponding 
answers. 

Definition 7. A functional play (henceforth simply a play) over the game Gr 
is a deterministic play p over it such that 

{F) p^ =!u A r(^) < C < f, l\pc =la => 3^', v'. C < f, A P(; =\v' A r{(') = (. 
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(F) imposes that an answer replies to the last unanswered question (the “no 
dangling condition” of [10]). By {R1)-{R2) only queries can be replied to. 

Let ip,rp) be a play and {p',rp ) a subplay (of any other play). By p * p' 
we indicate the partially defined operation of concatenating p with p'\ p * p' 
is defined and equal to {q,rg) if length((7) = length(p) + length(p'), = p^ if 
^ < length(p), if ^ = length(p) + (, and finally 






rpiO if C < length(p) 

length(p) + Tp (C) if ^ = length(p) + C > length(p) 

length(p) — 1 if ^ = length(p) is a successor, and 

^length (p)-l■^®^ 



If some of the above conditions cannot be satisfied, p * p' is undefined. If it is 
defined we set turn^ as the function determined by Vg. 

Let p be a play of type t,, for 1 < i < k, and r = {ti, . . . ,Tk ^ 7 ). Then 
we may construct a play pi*i = (?e) * p' of type r by adding a first move ?e 
and by transforming each move over Ti into the corresponding move over r: so 
p' is the (sub) play obtained from p by changing any question of the form ?a 
into a question of the form 7i.a. Because of the definition of concatenation, the 
first move of p' replies to ?£, which implies that players on p' are interchanged 
with respect to p (indeed, for all ^ < length(p), pj corresponds to Pi+j, so that 
Tp(^) = 0 if and only if r^(t)^(l +^) = 0: in particular, if ^ is limit, then 1 ^ 

so that players are exchanged also at limit points); therefore, if p is a P-view 
of a play of type Tj, then p^®^ is an 0-view of a play of type t. Finally, if s is a 
strategy of type n then we set = {p^®^ | p S s}. 



Proposition 2. Let t = (ti, ... ,Tk ^ j) and si, . . . , Sk be P -strategies of type 
Ti, . . . , Tfc. Then 

k 

(si,...,Sfc)° = 

i=l 

is an 0-strategy of type t, and any such a strategy arises in this way. 



Because of this proposition there is no theoretical loss in concentrating on 
P-strategies, henceforth called simply strategies. An immediate consequence of 
this and of 2 is that given some P-strategy s of type (ti , . . . , Tfc 7) and the 
P-strategies si, . . ., Sk of type ti, . . . , Tfc it is uniquely determined the play p = 
s • (si , . . . , Sfc)*^ of maximal length in which P and O follow s and (si, . . . , Sfc)*^ 
respectively. 

A functional play is terminated if it has a move answering to the first move 
?e. This move is necessarily the last one, by (PI). If such s • (si, . . ., Sfc)*^ is 
terminated by the move !?; then write 



s[si, . . . , Sfc] = t;. 

s[si, . . . , Sfc] is undefined otherwise. By s[si, . . . , Sfc] ~ t[ti, . . .,th] we mean they 
are either both defined and equal, or both undefined. 
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The functional interpretation of strategies depends on the following fact. For 
each type t define the binary relation among strategies of type r inductively 
as follows: 

— s s' s = s' ; 

• • • ! ®fc> ■ Ai=l Sj ^ s[si ) • • • ! Sfc] — s [sj^, . . . , Sj.] . 

Then, if s, s'^ for 1 < i < k and s is a strategy of type (ri, . . . , Tfc ^7), 
s[si,...,Sfc] ~ s[Si,...,Sfc]. 

The type structure of the Hereditarily Sequential Functionals^, HSF, is de- 
fined as follows. To each type r it is associated a set HSF’’ of functionals, 
and to each strategy s of type r a functional Fs € HSF’’. Set F’{?e) = T and 
Fy = V, where v = (?£, !u). If s is a strategy of type t = {ti, . . .,Tk ^ j) then 
Fs : HSF’^’u • ■ • HSF’^'" ^ HSF’’' is the functional 

Fs{Fs ^,. . . , FsJ = s[si, . . . , Sfc] if defined. 

Finally HSF’’ = {Fs | s is a strategy of type r}, in particular HSF’’' = {Vj)±. 

The structure HSF is a type frame. To see this we need a definition of appli- 
cation between strategies of higher type, namely an operation App{s,t) = s[t] 
where, if s is some strategy of type a ^ t and t of type a, s[t] is a strategy of 
type T. 

Let p be a play of type (ri, . . . , Tfc 7): q is the subplay of p on the i-th 
component if it is the maximal subplay of p such that any question of q but the 
first one has the shape li.a. 

If p is a play of type r = (ji, ... ,Tk 7), then we may construct a play 
p|(T of type (T = {t 2, ... ,Tk ^7), by restricting p to the moves not in the first 
component. Take / = {^ < length(p) | Va, b. p^ 7^?l.a APe(^) then p\I is 

a subplay of p and there exists a play q of type a and a play morphism p such 
that ip[q] = p\I, qt; =?(j - l).a whenever Py,o(Q =lj.a, qt^ = p,^o(c) else, and (pi 
is the identity, is fully determined by and rp. 

Proposition 3. Let s be a strategy of type r = {ji, . . . ,Tk 7). Consider 
(T = (t 2, . . . , Tfc ^ 7) and some strategy t of type ti. Define s[t] as the set of all 
P-cut free plays p' such that for some play p of type t: 

1 . p' is a P-view of p\a; 

2 . P follows s on p; 

3 . if q is the subplay of p on the first component then O follows t^^'^ on q. 

Then s[t] is a strategy of type a = (t 2, .. .,Tk 7), such that, for all strategies 
t2,...,tk of type T2, . . . ,Tk 

[^25 • • • 5 I'kl — '^[t, t 2 , . . . , tfc] . 

By this the functional application is simply defined by: Fs{Ft) = 



^ We give to this structure the same name as in [11], but they are different since our 
HSF properly includes the structure considered by Nickau. 
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4 Well-founded total functionals 

In this section and in the next one we restrict our attention to type structures 
over T(A^) = T({A^}), namely to simple types with ground type N. We also fix 
Vjv = 

A P-strategy s is winning if P always wins against any 0-strategy, by fol- 
lowing s. It is strongly winning if any p G s has some extension q G s won by 
P. A strongly winning strategy is winning, but not vice versa: indeed a winning 
strategy may include plays lost by P which simply cannot be a P- view of any 
play against some 0-strategy. Strongly winning strategies are complete', by The- 
orem 1 any play of limit length can be extended; on the other hand in a P-cut 
free play just P may play at limit points; therefore if s is a winning strategy and 
p is a P-cut free play of limit length A, then p £ s if and only if p[^ £ s for all 
A. 

Winning strategies are related to total functionals: Fg £ " ’ 

total if for all total Pg^, . . . , Pg^ there exists n £ Vn such that 

Fs{Fsi , • • • , Psfc) — n. 

Theorem 3. Pg is total if and only if s is strongly winning. 

The proof of the last theorem depends on the fact that any strategy s is 
included in some strongly winning strategy (possibly of transfinite height). This 
implies that any partial object in HSF has a total extension within HSF: this 
should be contrasted with the Scott continuous functionals, where e.g. Plotkin 
continuous existential quantifier is maximal (w.r.t. the pointwise ordering) but 
not total (see [12]). The same remark applies to the PCF definable functionals: 
indeed (our) FISF is a larger model than the extensional collapse of innocent 
strategies. 

Because of the existence of transfinite plays and of strategies of transfinite 
height, any functional in the type frame HTF of the Hereditarily Total Function- 
als (the full type hierarchy over Vn = to) is an object of FISF^. 

Theorem 4. For all type r and F £ FITF there exists a winning strategy s of 
the same type such that F = Fg. 

If K is an infinite regular ordinal and s is a strategy of height < k (recall that 
the height of a tree T is the first ordinal a such that for all sequence x € T, 
length(a;) < a), we say that it is a K-strategy: an w-strategy is then a well-founded 
tree. A functional Pg £ FISF’" is well-founded if there exists an w-strategy s such 
that P = Pg. The following Corollary is an immediate consequence of the Cut- 
Elimination Theorem 2 and of the definition of totality. 

^ Strictly speaking any object of HTF turns out to be the restriction to total functionals 
of some object of HSF, as the latter may have partial functionals in its domain. In the 
sequel we shall not enter into such details, and we will consider HTF as a subframe 
of HSF 
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Corollary 1. Total well-founded funetionals from HSF are closed under appli- 
cation. 

Let TWF be the type frame of Total Well-founded Functionals. 

Theorem 5. TWF is a model of simply typed X-caleulus. 

Well-founded functionals embody the idea of functionals determined by finite 
amounts of information about their arguments: the same idea at the basis of 
Kleene-Kreisel countable functionals and of Scott continuous functionals. In the 
final part of this section we characterize the well-founded total functionals using 
a generalization to all types, due to Tait, of Brouwer’s notion of continuity for 
type 2 functionals. 

Definition 8. The Tait Continuous Functionals, TCF, is the least type frame 
over T {N) such that: 

1. TCF^ is the set of natural numbers; 

2. TCF contains the combinators S,K, I at all (suitable) types; 

3. if {Fn \ n G uj} C TCF’’ then the functional F{n) = F^ (also denoted by 

An. Fn) is in TCF^'^^’’^ (the w-rule). 

Recursive Tait-continuous functionals, which are obtained from Definition 8 
by asking in the third clause that the set {Fn | n G w} is recursive, are total 
functionals (this is a consequence of Tait cut-elimination theorem for the oj- 
logic). That TCF is a subframe of FITF will be a consequence of the proof that 
TCF and TWF actually coincide. 

It is not difficult to show that TCF C TWF, since by Theorem 5 it suffices to 
prove the closure of TWF under the tu-rule. Suppose that Fn = Fs^ for all n and 
take s as the prefix closure of the set of all P-cut free plays p of type {N t) 
such that p = (?e, ?1, !n) * q, and q is obtained from some q' G Sn by substituting 
each move of the form li.a by ?(i -F l).a. Then s is a strategy of type {N t), 
and Fs = An. Fn. 

To prove that TCF D TWF the following lemma is needed (compare with [11] 
Theorem 3.3.6). If T is a tree then T;^'^ = {y I {x) * y € T} is an immediate 
subtree of T; a proper subtree of T is either an immediate subtree or a proper 
subtree of some immediate subtree of T. Recall that well-founded trees admit an 
inductive definition: T is well-founded if all immediate subtrees of T are such. 

Lemma 1. Let s be an uj-strategy of type (ri, . . .,rfc N) such that s ^ h 
for any n. Then there exist 1 < i < k and the co-strategies si,...,Sm (where 
Ti = (ui, . . . , CTm N) ) and a family of to -strategies {s'm}meui such that, for all 

strategies ti, .. .,tk of type ri,...,Tfc, if ti[si[ti, . . . ,tk], . . . , Sm[ti, . . . ,tk]] ~ m 
then s[ti , . . . ,tk] — s'n,[ti, . . . ,tk\. Moreover si, . . ., s^ and each s'^ are isomor- 
phic to proper subtrees of s. 

Theorem 6. The well-founded functionals are exaetly the Tait-continuous 
functionals, namely TWF = TCF. 
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Proof. Let F = Fg he a. well-founded functional of type (ri,...,Tfc N). 

li s = n then Fg = Xxi---Xk.n and it is trivially Tait-continuous. Other- 
wise, by induction over the well founded tree s and by Lemma 1, there exist 
Gi = Fg^, . . . ,Gui = -Fs„. and = Fg^ for each m G cu which are Tait- 
continuous and such that, if Fi{Gi{Fi, . . . , Fk), . . . , Gm{Fi, . . . , Fk)) = m then 
F[Fi, ...,Fk) = G'^{Fi , . . . , Fk). Therefore 

F(Fi, . . . , Ffc) = {Xm.GUFi, • • • , Tfc))(F,(Gi(Fi, . . . , Ffc), . . . , G„.(Ti, . . . , Fk))) 

is Tait-continuous as it is obtained applying the w-rule to a combination of 
Fi, . . . , Fk and of constants for Tait-continuous functionals. 

□ 

5 Computable non well-founded functionals 

Given any F £ there exists f,g G such that 

/(F(/)) ^ g{F{g)) (1) 

F{f) = F{g) (2) 

Indeed for any ordinal ^ let be the characteristic function of = {F{h^) \ 
C < ^}- By a cardinality reasoning there exists a minimal a < loi such that 
Xa+i = ^a', therefore ha{F{ha)) = ha+i{F{ha)) = 1. Since Fiha) G Xa+i = 
Xa there exists a (unique) (3 < a such that F{ha) = F{hjj). If hj 3 {F{hfs)) = 1 
then Xp = Xjj .^.1 = X^ contradicting the minimality of a, so that ^ 

ha{F{ha)): now set f = ha and g = hjs. 

The construction of /, g is uniform in F, so that there exist two total func- 
tionals of type {{{N N) X),N N) such that / = ^{F) and 

g = F{F) satisfy (I), (2). If F is continuous (w.r.t. the product topology over 
|_|-pp(iV^iV) 

= w“) then a < [u. In this case it is easily proved that ^{F){n) = m 
and F{F){n) = m are predicates recursive in F. In this sense $ and F are 
“computable” type 3 functionals. 

By Theorem A F,F are objects of FISF. More explicitly a strategy for F is 
the least prefix closed set of P-cut free plays of type {{{N N) N), N N) 
including plays of the following two forms (using the symbolic notation) : 

(^(F, x) =?, F{f) =?, F{f) = no, . . . , F{f) =?, F{f) = n„ (for all r, < 0 
Fif) =?, f{y) =?, y =?, y = m, f{y) = h^{m)) 

which accounts for the computation of F(h^), and 

{F{F, x) =?, F{f) =?, F{f) = no, . . . , F{f) =?, F{f) = n„, 

X =?, X = n, ^{F, x) = ha{n)). 

which yields the value of ^(F, x). In the second line, as in the informal definition 
of F, a is the minimum ordinal such that n^ = for a (unique) (3 < a. The 
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definition of a strategy for \F is similar, but the last move in the second case is 

!f(F,a;) = hfjin). 

These strategies are both wi-strategies, where uii is the first uncountable 
ordinal. Next we prove that !?' have no w-strategy. 

Theorem 7. $ and 'P are not well-founded functionals. 

The proof uses two Lemmas. By T C G it is meant graph inclusion. 

Lemma 2. Let F € be partial injective, X be the range of F, 

x^X and f e C then there exists G € 

partial injective such that Rng(G) C X U {x}, F C G and f £ Dom(G). 



Lemma 3. Let {s„ | n £ w} be a family of winning uj-strategies of type {{{N 
N) N) — >■ N), and X C lo an infinite set. Then there exists 

F £ partial injective with range X s.t. Fg^{F) is defined for 

all n. 

Proof of Theorem 7. Toward a contradiction suppose that L> = Fg and P = Ft, 
for some (winning) w-strategies s, t. Then there exist winning w-strategies s„ and 
tm associated to Pn = AT. P{F, n) and Pm = AT. P{F, m) respectively. Let us 
abbreviate by 0{n,m) a strategy for the functional &(n,m) G 
such that 

9in.m){G) = {P{G){n),PiG){m)), 

where (_, _) is a surjective pairing function over the natural numbers. Of course 
(){n,m) can be constructed from s„ and tm in such a way that it is an w-strategy. 
Being 0(n,m} a total functional, is winning by 3. 

By Lemma 3, given any infinite X G oj and {i, j) ^ X we can find T £ 
injective with range C X such that 0(^n,m){F) is defined 
for all n,m, which implies that / = P{F) and g = P{F) are total functions, 
since {f{n),g{m)) ~ 9(^n,m){F) for all n,m. 

Applying Lemma 2 twice we find U partial injective such that F C G, X \J 
{i,j} is the range of U and f,g € Dom(G). Let H be any total extension of U: 
then P{F) C P{G) C P{H), and, as / = P{F) is total, P{H) = f. Similarly 
P{H)=g. 

By the absurd hypothesis f{H{f)) ^ g{H{g)) and H{f) = H{g). ^From 
H{f) = G(/) and H{g) = G{g) it follows G(/) = G{g), hence f = g since U is 
injective: a contradiction. 

□ 



6 Concluding remarks 

Although well-founded functionals are a natural structure, they do not capture 
the idea of (relative) computable functionals at type 3 and higher. This may 
be of minor interest as soon as one is concerned with A-calculus models, but 
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becomes relevant when dealing with the constructive analysis of classical proofs, 
and with program extraction. Indeed the functionals 'P can be shown to be 
natural realizers of the no-counterexample of the comprehension axiom scheme 
for classical second order arithmetic, and have been found following methods 
introduced in [4]. 

The fact that they are not well-founded may appear not surprising as they 
are set theoretic functionals, defined also on discontinuous type 2 arguments (i.e. 
non continuous w.r.t. the product topology on type 1 objects), as it is needed 
if they have to build “no-counterexamples” against any possible candidate as a 
counterexample. However they have the robust property, as argued in the previ- 
ous section, to yield finite plays on continuous (namely well-founded) arguments, 
which are effectively computable if the arguments are recursive. Actually P 
are examples of a large class of functionals enjoying this property, which, we 
think, deserves further investigation. 
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Counting a Type’s Principal Inhabitants 

(Extended Abstract) 
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Abstract. We present a Counting Algorithm that computes the number 
of A-terms in /3-normal form that have a given type t as a principal type 
and produces a list of these terms. The design of the algorithm follows 
the lines of Ben-Yelles’ algorithm for counting normal (not necessarily 
principal) inhabitants of a type r. 



1 Introduction 

In [2], Ben-Yelles presented a Counting Algorithm, also described in [3], which 
given a type r computes the number of A-terms in /3-normal form that can 
receive type t in TA^. For each type r the algorithm decides in a finite number 
of steps whether the number of closed /3-normal forms with type r is finite or 
infinite, computes this number in the finite case, and lists all relevant terms in 
both cases. Related to this is the problem of counting the number of ,d-normal 
forms that have a given type t as a principal type. As pointed out in ([3], p. 127), 
this problem is still open and in this paper we present a Counting Algorithm 
which solves this case. Analogous to Ben-Yelles’ algorithm, our algorithm for 
counting (and listing) principal normal inhabitants of a type t is based on the 
following facts. First, it is sufRcient to look for a special kind of principal normal 
inhabitants of r, called long terms. Second, there are integers 0 < dp(r) < Dp(r) 
such that the cardinality of the set of principal normal inhabitants of r depends 
directly on the number of long principal normal inhabitants of t with depth in 
[0; dp(r)[ and on the number of those with depth in [dp(r); Dp(r)[, where depth 
is a measure on the structure of a A-term in /3-normal form. Finally, Ben-Yelles 
defined in [2] a Search Algorithm (others are in [6], [7] and [5]), that given a 
type T and any integer d > 0 can be used to compute all (a finite number) 
long normal inhabitants of a type r with depth < d. Thus, using any principal- 
type checking algorithm (for example in [3]) it is possible to compute the long 
principal normal inhabitants of r with depth < d. Thus the problem of counting 
principal normal inhabitants of a type r is essentially solved by computing the 
long principal normal inhabitants of t with depth < Dp(r). 

In section 2 we describe the Counting Algorithm for normal principal inhab- 
itants based on the existence of dp(r) and Dp(r) and on Ben-Yelles’ Search 
Algorithm. In section 3 we obtain a characterization of long normal principal 
inhabitants, that will give us a better insight on principal deductions for long 
terms in /3-normal form and will thereby enable us in section 4 to establish and 
prove the correctness of the limits dp(r) and Dp(r). 
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2 The Counting Algorithm 

We use standard notation from [1] and [3]. Type- variables (atoms) are denoted 
by “a,b,c,. . .’’and arbitrary types are denoted by lower-case Greek letters. It has 
been pointed out in [3] that it is equivalent to count typed or untyped inhabitants 
of a type r. In sake of simplicity, we restrict this paper to the untyped case. 
A term M has a bound-variable clash iff M contains an abstractor ^ and a 
(free, bound or binding) occurrence of x that is not in its scope. Note that for 
any A-term M exists a A-term N without bound-variable clashes and such that 
M =a N. In this paper we will only consider A-terms without bound-variable 
clashes. 

Definition 1. A type- assignment is an expression of the form M : t , where M 
is a X-term and t is a type. The type r is the predicate and M is the subject of the 
type- assignment. A type-context or basis F is any finite, perhaps empty, set of 
type-assignments with distinct variables as subjects. If F = {xi, pi, . . . , Xm ■ Pm} 
define Subjects{F) = {xi, . . . , Xm}. A TA-formula is any expression of the form 
F I- M : T, where M is a term, F a type-context and r a type. 

In the following we describe a system to assign types to A-terms in /3-nf. 

Definition 2. Given a X-term M in fl-nf, a type r and a context F, we say that 
M : T is derivable from F , and write F i- M : t if the formula F t- M : t can 
be produced by the following rules. 



(axiom) (if x : a G F ) 

' ^ F I- X : a ' ^ 



(app) 



F t- Ml : ai 
F I xMi . . . Mn '■ (3 



F I Mn : On 



(if X : ai ^ ... ^ an ^ P G F , n > 1) 



(abs) 



F, X : a i- M : (3 
F I Xx.M : a ^ (3 



A TA-deduction A of F %- M : t (where M denotes a (3-nf) is a tree of TA- 
formulae, those at the tops of branches being axioms and those below being de- 
duced from those immediately above them by a rule ((app) or (abs)) and with 
bottom formula F i- M : t. 



Proposition 3. Given a (3-nf M , a basis F and type r such that 
Fi- M :t, there is exactly one deduction A of F t- M : t. 



Proof Straightforward. 
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Definition 4. Let M be a (3-nf and {F, r) a pair such that F i- M : t. We 
say that M is long with respect to {F, t) iff for every formula of the form F' i- 
xMi . . . Mn : a, n >0, in the unique deduction of F t- M : t, a is an atom. We 
call M a normal inhabitant of a type t iff M is in (3-nf and t- M : t and denote 
the set of normal inhabitants of a type t by Nhabs(r). The set of principal normal 
inhabitants of a type r is called Nprinc(T). The set of normal inhabitants of r 
which are long with respect to (0, r) is called Long(r). The set of long principal 
normal inhabitants is called Lprinc(T). 

Thus, 



Lprinc(r) = Long(r) n Nprinc(r) C Long(r) C Nhabs(r). 

The (finite) set of all terms obtained by ry-reducing a A-term M is called the 
ry-family of M and denoted by {M}^. It has been shown (cf. [3]) that the 
ry- families of the long normal inhabitants of r partition Nhabs(T) into non- 
overlapping finite subsets, each ?y- family containing just one long member. From 
this and from the two following results (in [3]) we conclude, that counting 
Nprinc(T) corresponds essentially to counting Lprinc(r). 

Lemma 5 (Completeness of Long(r); Ben-Yelles 1979). Every normal 
inhabitant of r can be rj-expanded to a long normal inhabitant of t. And this 
long inhabitant is unique (modulo =a); i-c. 

{M, N £ Longer) and M N} => M =„ N. 

Lemma 6 (in Hindley’97). Let M+ be the unique member of Long{r) to which 
M r]-expands. Then, 

M £ Nprinc (r) M+ £ Nprinc(r). 

Hence, if M £ Nprinc(r), then M+ £ Lprinc(r). We conclude that Nprinc(r) = 
0 iff Lprinc(r) = 0 and that Nprinc(r) is infinite iff Lprinc(r) is. Furthermore, 

Nprinc(r) C {^}v 

M^Lprinc(r) 



Hence, our algorithm will focus on long normal principal inhabitants and, fol- 
lowing Ben-Yelles’ algorithm, the searching will be done in order of increasing 
depth of terms. 

Definition 7. The depth of a \-termM in (3-nf is defined as follows and denoted 
by Depth{M) . 

i. Depth{y) = Depth[\xi . . .Xm-y) = 0; 

ii. Depth{Xxi . . .Xm-yMi . . .M„) = 1-1- maxi<j<nDepth{Mj), if n > 0. 
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In [2] Ben-Yelles defined an algorithm, called Search Algorithm, that given a 
composite type r, i.e. non-atomic (note that atomic types have no inhabitants at 
all), produces a sequence A(r, 0), A{t, 1), A{t, 2), . . . of finite sets of expressions, 
called nf-schemes, such that each member of A{t, d + 1), which is a A-term, is a 
closed /3-nf with depth d. More precisely, one has the following, where Long(r, d) 
denotes the set of long normal inhabitants of r with depth < d. 

Theorem 8 (Search Theorem for Long(r), Ben-Yelles’79). 

The Search Algorithm accepts as input any composite type r and outputs a finite 
or infinite sequence of sets A(r, d) (d = 0, 1, 2, . . .) such that for all d > 0, 

i. each member of A(r, d) is a closed nf-scheme with type r and long with 
respect to (0,r), and is either 

(a) a proper nf-scheme with depth d, or 

(b) a X-term with depth d — 1; 
a. A{t, d) is finite; 

Hi. Long(r, d) C A{r, 0) U . . . U A{r, d + 1); 

iv. if we call the set of all X-terms in A{t, d) ‘Aterms(j, d) ”, then 

Long(r) = Aterms{T,d). 
d>0 

Now, and analogous to the Counting Algorithm for Long(r), the Counting 
Algorithm for Nprinc(r) is based on the fact that Lprinc(r) is infinite iff it has 
some member whose depth lies between two integers dp(r) and Dp(r), that can 
be computed from r. Furthermore, if Lprinc(r) has no member with depth in 
[dp(r); Dp(r)[, then Lprinc(r) is finite or empty according as the number of long 
principal inhabitants of r with depth < dp(r) is finite or zero. 

Definition 9. The total number of occurrences of type-variables in a type t will 
be denoted by |r| and is defined as follows 

|a| = 1, Ip cr| = IpI + |(t|. 

The number of distinct type-variables occurring in t will be denoted by ||t||. 
Furthermore, if t is a type let 

dp(T) = |t| and Dp(t) = |r|^. 

In section 4 we will prove the following. 

Theorem 10. For any type t , there is 

i. Lprinc(T) = 0 fj(f Lprinc(r) has no member with depth < Dp(r); 
ii. Lprinc(r) is infinite iff it has a member M with 
dp(r) < depth{M) < Dp(r); 

Hi. Lprinc(T) is finite iff all its members with depth < Dp(r) have depth < dp(r). 



Thus, we have the following algorithm to count Nprinc(r). 
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Counting Algorithm for Nprinc(T) 11 If t is an atom, Nprinc(T) is empty. 
If T is composite, apply the Search Algorithm to t and compute Aterms{j,d) for 
d = 0, . . . , Dp(r). Determine the set Ap of all X-terms in Atermsij, 0) U . . . U 
Aterms{T,T)p{T)) that are principal inhabitants of t (using any algorithm for 
checking principal types). 

Case I If Ap = 0, then Nprinc(r) = 0. 

Case II If Ap has a member with depth > dp(r), then Nprinc(r) is infinite. Apply 
the Search Algorithm to enumerate Atermsij, d) for d = 0, 1, 2, . . outputting for 
each of these sets its members which are principal inhabitants ofr as well as the 
members of their rj-families that are principal inhabitants. 

Case III If all members in Ap have depth < dp(r), then Nprinc(r) is finite. 
Output all members of Ap as well as the members of their rj-families that are 
principal inhabitants. 

3 Principal type inference for long normal -terms 

In this section we introduce the typing system TApin which will give us a better 
insight on deductions of principal types for long normal inhabitants, and will 
thus enable us to prove the Shrinking and Stretching Lemmas for Lprinc(r), 
which have Theorem 10 as a consequence. 

Definition 12. The system TApin has an infinite set of axioms and three de- 
duction rules as follows. 

(a^iom) ^pin ^ ^ II 0 (ifx:aer) 



r Mi-.ai II </>! ... r I-P'" || 

r || 0 



(if X : ai ^ . . . ^ an ^ b G r andn>l) 



^ ^ ^r,x:a i-P'" M : P || 

' T i-P'" Xx.M :a^P\\ 



0 



r i-P'" M : a II 0 
(U) r i-P'" M : 6 II (a, b) 

A TApin -deduction A is a tree of TApin- formulae, those at the tops of branches 
being axioms and those below being deduced from those immediately above them 
by a rule. The bottom formula in A is called its conclusion; if it is T M : 
T II (j), we call A a deduction of T M : r. 
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In the following we are going to define a transformation-algorithm that given 
the uniqne TA-deduction Z\ of a formula F i- M : t, where M is a P-nf which is 
long with respect to {F, r), and a pair [F' , t'), obtained from {F, t) by renaming 
occurrences of variables (note that different occurrences of variables may have 
been substituted by different variables), constructs a TApin-deduction A' of 
p' f_pin M : t\ such that several arrows occurring in A' are possibly marked 
with a *. In the first step an unmarked version of A' will be constructed bottom- 
up from A as follows. 

— if P I- M : T is an axiom, i.e. x : a G F, M = x and t = a, then x : ak & F' 
and r' = oj. Take F' x : ai || {ak,ai) as the bottom formula of A' 
(U-rule) and precede it by F' x : ak || 0 (axiom). 

— if T I- M : r was obtained by the (app)-rule from F i- Mi : ai, . . . ,F i- 

Mn : a„, thus M = xMi . . .Mn and t = b, then there is a type-assignment 
X : a'l ^ ^ a'„ ^ bk m F' and t' = bi. Take F' i-P*” xMi . . . Mn : 

h II {bk,bi) as the bottom formula of A' (U-rule), precede it by F' 
xMi . . .Mn : II 0 (app) and precede this formula by the deductions 

Z\(, . . . , A'n constructed from the TA-deductions Ai, . . ., An oi F i- Mi : 
ai,...,Fi- Mn ■ an and pairs (T', a(), . . . , {F' , a'n). 

— \i F t- M : T was obtained by the (abs)-rule, i.e. M = Xx.N and r = a ^ /3, 
from F, X : a i- N : P, then take F' i-P^" Xx.N \ a! ^ P' || 0 as the bottom- 
rule in A' (abs) and precede it by the deduction A( constructed from the 
deduction Ai oi F, x : a i- N : P and pair [F' U {x : a'}, /?'). 

In the second step we mark arrows, starting top-down from axioms as follows. 

— No arrows are marked for axioms. 

— If T i-P^" xMi . . .Mn : 6 II 0 results from F t- Mi : ai || pi , . . ., F i- : 
an II pn by the (app)-rule, then we mark x : ai ^ ... ^ an ^ b in F as 
follows: X : ai — >* . . . an b (no arrows are marked in ai , . . . , a„). 

— If T i-P^" Xx.M : a ^ /3 II 0 was obtained from F,x : a i-P^" M : P \\ phy 
the (abs)-rule, then we mark the following arrow: F i-P^" Xx.M : a P || 0. 

— Finally, no arrows are marked in formulae obtained by the U-rule. 

Definition 13. The indexed counterpart (F±,t±) of a pair (F,t) is obtained by 
successively indexing all occurrences of type variables and arrows in [F,t). 



Note 1. If {Fi,Ti) is the indexed counterpart of [F,t), then ||t|| < |t| = |ti| = 

Ikill- 

Example 14- The pair 

{{z : ((oi bi) -^2 Cl ^3 C 2 ) ^4 ^ 2 ) 

is the indexed counterpart of {{z : {{a b) ^ c ^ c) ^ d},d). The TA- 
deduction of 

z : ((a ^-6)— >-c— >-c)— ?>di- z{Xxy.y) : d 
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IS 



z : ((a b) ^ c ^ c) ^ d, X : a ^ b, y : c I- y : c 



z : ((a b) ^ c ^ c) ^ d, X : a ^ b i Ay.y : c ^ c 



z I {{^ — ^ b^ — ^ c — k c) — ^ d 



I Xxy.y : {a ^ b) ^ c ^ c 



z I {{^ — ^ ^ c — ^ c) — ^ d 



I- z{\xy.y) : d 



and the corresponding TApin-deduction of z : ((oi bi) -^2 ci ^3 C2) ^4 
di I- z{Xxy.y) : ^2 



z : ((tti -»i bi) -»2 Cl ->-3 C2) -»4 di, a; : fli ->i &i, y : Cl I- y : Ci || 0 

z : ((tti ^1 61) ->2 Cl ->3 C2) ^4 di, a; : fli ^1 &i, y : Cl I- y : C2 || (ci, C2) 

z : ((tti ^1 61) ^2 Cl ->3 C2) ->4 di, a; : fli ^1 &i 1- Xy.y : Ci ->3 C2 || 0 

z : ((tti -»i bi) ->2 Cl -»3 C2) -t 4 di I- Xxy.y : (ai -»i bi) ->2 Ci ->-3 C2 || 0 

z : ((tti ^1 61) ->2 Cl ->3 C2) ->4 di ■- z(Xxy.y) : di || 0 

z : ((oi ^1 61) ->2 Cl ->3 C2) ->4 di I- z(Xxy.y) : d2 || (di,d2) 

Definition 15. Given a type r and a binary relation d> defined over the set 

of type-variables in r, let C,s> he the set of equivalence classes of the reflexive, 

symmetric and transitive closure ofd>. 

Lemma 16. Consider any finite non-empty set A and n binary relations 
over A 

<^>1 C . . . C 

such that C<p. f C$. for 1 < i f j < n. Then n < ffA. 

Proof Straightforward • 

The following result is a consequence of observing that the algorithm for 
computing the principal pair of a A-term only introduces arrows required by 
the typing rules and only unifies two variables if this is absolutely required by 
the term structure. Note that the binary relation T> corresponds directly to the 
connection relation for TA- figures in [4] . 

Proposition 17. Let M be a X-term in normal form, F a type-context and t a 
type such that, Subjects{F) = FV{M), F 1 - M : t and M is long with respect 
to (F,t). Consider the indexed counterpart {F±,t±) of (F,t). Let ^-i) be the 
TAp\n- deduction of F± M : constructed from the unique TA-deduction 

of F t- M : T and let d> be the set of all binary pairs in Then, 



IS 
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Proof It is straightforward to show that whenever (a, b) € then a and b 
are indexed versions of the same type-variable. Now, suppose that (F, t) is no 
principal pair for M , i.e. there exists a (more general) pair (Fq, tq) such that 
Fgt- M : To, Fq = F and Tq = t for some substitution *, but {F, t) is no variant 
of {Fq,to). If {Fq,to) has the same structure as {F,t), but at least two type- 
variables in {Fq,to) are given the same name, say a, in (F,t), then, considering 
the observation made at the beginning of the proof, it is easy to see that there 
are at least two equivalence classes in containing indexed occurrences of a in 
(Pi, Ti). If, on the other hand, one variable in {Fq, tq) has a composite type a ^ [3 
in (P, t), then the corresponding occurrences of the arrow will never be marked 
in Zi(p. T-i). This follows from the fact that the TA-deduction of P i- M : r 
is a copy of the TA-deduction oi Fq t- M : tq where all type-variables a are 
substituted by *(a). Analysing the transformation algorithm, one sees that the 
same holds for the corresponding TApin-deductions. 

Conversely, suppose that M is a / 3 -nf, P a type-context and t a type such 
that P I- M : r, M is long with respect to (P, r) and FV{M) C Subjects(F). 
Furthermore, consider (Pi,Ti), and F as before. Let F' D F he any bi- 

nary relation over the variables in {F±, ti) such that there is some type-variable, 
say d, such that there are at least two different equivalence classes . . . , di^} 
and {djj, . . . , dj^} in C# containing indexed occurrences of d. We prove by in- 
duction on the structure of M that, if we substitute in the occurrences 

djj , . . . , dj^ by Cjj , . . . , , for some new type- variable c, then we obtain a new 

TApi n-deduction that corresponds to the TA-deduction Ac oi Fc*- M : Tc, 

where (Pc, Tc) is obtained from (P, t) by substitution of the occurrences of d 
corresponding to , . . . , dj^ by c. Then (Pc, Tc) is a more general pair such that 
Fc*- M : Tc and consequently (P, r) is no principal pair for M. 

li M = X, then (P, r) = ({* : a}, a) and the result holds vacuously, since 
C# = {{oi, 02}}. 

If M = xMi...Mn, then t = b, x : ai .an ^ b G F and P 1- 

xMi . . .Mn : b results from P 1- Mi : ai, . . . , P 1- : «n by the (^ P)-rule. 

From the induction hypothesis we conclude that Pc 1- M\ : af , . . . , Pc 1- 
If A'c^i ., . . . , A'c^n the corresponding TApin-deductions, then has the form 

Pc i-P'" xMi . . . : 6 ^ II 0 

Fc^-P^^ xMi...Mn-.b^i II ibl,b<i). 

Thus {bk,bi) € C <P' belong to the same class in C# and the corresponding 
occurrences in (P'^, t^) are occurrences of the same type-variable. Hence, F^ 1- 
xMi . . .Mn : 6 '^ can be inferred from Pc 1- Mi : ai, . . . , Pc 1- M„ : by the 

(app)-rule and Z\(, corresponds to the TA-deduction Ac of Pc 1- xMi . . . Mn ' b^. 

The result is straightforward for M = Xx.N. 

Thus we showed, that whenever (P, r) is a principal pair for M then for each 
type- variable a in (P, t) there is one equivalence class in C# containing exactly 
all indexed occurrences of a in (Pi,Ti). It remains to show that all (indexed) 
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arrows have a marked occurrence in Z\(p. ^-i). We proceed by induction on the 
structure of M. 

If M = X, then the result holds vacuously. 

For M = xMi . . . Mn let (F, h) be a principal pair of xMi . . . Mn obtained 
from r I- Ml : ai, . . F i- M„ : by the (app)-rule and x : ai ^ ^ 

an ^ b G r. Then there are (Fi, ai ), . . . , (F„, a°) respectively principal pairs 
of Ml, . . . , Mn, such that F = F* U . . . U F* U {x : ui ^ ^ ^ u}*, 

where * is the substitution resulting from the unification of the types assigned 
to variables in Fi, . . . , F„ as well as in {x : t;i ^ Vn ^ u} (v\, . . ., v are 

new type- variables) and such that a\ = ★(r’l) = *(ai), = *(vn) = *(a°) 

and b = *{v). Now, by the induction hypothesis, all occurrences of arrows in 
Fi, . . . , F„, ai, . . . , are marked in the TApin-deductions corresponding to the 
TA-deductions of Fi i- Mi : ai, . . . , F„ i- M„ : a„. Thus, the arrows resulting 
from the unification and corresponding to arrows in Fi, . . . , F„, «i, . . . , will 
also be marked in the TApin-deduction that corresponds to the TA-deduction of 
F I- xMi . . . Mn : b. Finally, note that the n main arrows in «i ^ ^ ^ 6 

will be marked too. 

The case M = Ax. A is trivial, since if F i- Ax. A : a ^ (3 results from 
F, X : a I- A : /3 by the (abs)-rule and (F, a ^ /3) is a principal pair for Ax. A, 
then (F U {x : a},/3) is a principal pair for A and the result follows almost 
directly from the induction hypothesis. • 

Example 18. Although C# = {{oi}, {6i}, {ci, C2, }, {di, d2}} we conclude that 
{{z : ((a b) ^ c ^ c) ^ d},d) is no principal pair for z{Xxy.y), since ^-i 
has no marked occurrence in the TApin-deduction of z : ((oi ^-i bi) -^2 ci ^3 
C2) -^4 di I- z{Xxy.y) : ^2- 



4 Correctness 

We begin this section with several definitions and results (mostly from [3]) on 
the structure of types and terms, that we will need later on in order to prove 
Theorem 10. Note that every type r can be written uniquely in the form 

Ti ^ . . . — > Tm — > e, 

where e is an atom and m > 0. Iff m > 1 we call t a composite type. 

Definition 19. The significant subtypes or s-subtypes of a type t = t\ ^ ... ^ 
Tm e, where e is an atom and m > 0, are defined recursively as follows. 

— T is an s-subtype of t; 

— every s-subtype of one of t\, . . . , Tm, e is an s-subtype of r. 

A proper s-subtype ofr is an s-subtype 7^ r. Particular occurrences of s-subtypes 
of T are also called s-components ofr and are distinguished by underlining their 
names. An s-component of a type r is defined to be positive or negative as follows. 



78 



Sabine Broda and Lui's Damas 



— T is a positive s- component of t; 

— if T = Ti ^ ^ Tm ^ e, then t_i, . . . , are negative s-components of r 

and e is a positive s- component of t; 

— if T = Ti ^ ^ Tm ^ e and if p is an s-component of one of t\, , Tm, 

then p is a positive or negative s-component of r according as it is a negative 
or positive s-component of ti,T 2, . . . or Tm- 



Definition 20. If p is a composite s-component of a type r and p = pi ^ . . . ^ 
Pn ^ a (n > 1), the s-components p^, . . . , p^ are called the premises of p and a 
is called the conclusion or tail- component of p. 

An s-component of t is called a subpremise or subtail of r according as it is 
a premise or tail of another s-component of t. 



Definition 21. If t is composite, NSS(r) is the set of all finite sequences 
< (Ti, . . . , (Tn > (n > 1) such that t contains a positive composite s-component 
with form ^ ... ^ an ^ a for some atom a. Each member of NSS(r) is 
called a negative subpremise- sequence. 

Every non-atomic A-term X can be expressed uniquely in the form 

X = Xxi . . .Xm-vYi . . .Yn, (m + n>l). 

The head and arguments of X are respectively v and Y_i, . . . , 

Definition 22. A subargument of a X-term X is a component that is an argu- 
ment of X or an argument of a proper component of X. If ^ is a subargument of a 
X-term X, the argument-branch from X to ^ is the sequence < ■ ■ ■ y ^ >, 

[k > 1), such that = X and is an argument of for i = 1, ... ,k, and 
= X It is called unextendable iff ^ is an atom or abstracted atom. Its length 
is k (not k -\- 1). 



Definition 23. Let A be a TApm -deduction of E M : t, let ^ be a subar- 
gument of M; say 



Z = Xxi . . . Xm.yZi . . .Zn {m, n >0) 

and let Ez Z : ai ^ . . .am ^ a || 0 6e the node in A which corresponds to 
X The Initial Abstractors’ Types sequence lAT(^) is defined to be 

lAT(Z) =< ai,...,am> 

and has length m. The Initial Abstractors sequence \A[Z) is the (possibly empty) 
sequence 



\A{Z) =<Xi,...,Xm> ■ 
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Lemma 24. Let A be a deduction of t- M : t, where M is a long P-nf with 
respect to (0, t) and let A' be the corresponding TApin -deduction M : 

Let ^ be a subargument of M, and let Fz Z : ct || 0, with a = ai ^ ^ 

(Tfc s, be the node in A' which corresponds to Z. Then 

i. if a is an atom, lAT(Z) = 0; 

ii. if a is composite, lAT(Z) G NSS(Ti). 

Proof Part i. is trivial. For part ii., we show by induction on the depth of 
Z in M, i.e. the length of the argument-branch from M to Z, that whenever 
X : a € Fz, then a occurs as a negative s-component in Ti and cr (composite) 
occurs as a positive s-component of r. In fact, suppose that Z has depth 1 in 
M, i.e. M = Axi . . . Xm-vYi . . .Yn with m,n>l and ^ = Yi for some 1 < i < n. 
Then ti = oi ^ Om o, and the node in A' that corresponds to Z is 

xi : ai, . . ., Xm '■ ctm Z : a (note that a is composite, so this node results 
from the (abs)-rule). By definition, a \, . . . , am are negative s-components of t±. 
On the other hand, there is u = Xj for some 1 < j < m and aj is of the form 
Pi ^ ... ^ Pn ^ b with Pi = a. Thus, a occurs as a negative s-component of a 
negative s-component of ti and occurs consequently as a positive s-component 
of Ti. 

The induction step is mostly a repetition of the previous argument. 

Thus, if a is composite, then a occurs as a positive s-component of ti and 
by the definition of NSS(ti) follows IAT(,Z) =< ai, . . .,au >G NSS(ri). • 

It has been shown in [3] that whenever r is a composite type, then 
#(NSS(t)) < |r| — I. Thus, if (0, Ti) is the indexed counterpart of (0, r), one has 
#(NSS(ti)) < |ti| - I = |t| - I. 

Lemma 25. If t is composite and (0,Ti) is the indexed counterpart of (0 ,t), 
then 

#(NSS(ti)) < |r| - I. • 

The proofs of the following two lemmas follow closely the schemes of Ben- 
Yelles’ proofs of corresponding results for Long(r), from which they differ essen- 
tially in the justification of the encountered limits dp(r) and Dp(r). As in the 
original case (Long(r)), the construction of a term with smaller depth (or greater 
in the case of the Stretching Lemma) is done by substitution of a subterm by 
another subterm with smaller (greater) depth. But in the case of principal in- 
habitants one has to be more careful choosing these subterms, leading thus to 
greater limits, in order to guarantee the preservation of principality. 

Lemma 26 (Shrinking Lemma). //Lprinc(r) has a member M with depth > 
Dp(r), then 

i. there exists M* G Lprinc(r) with Depth{M) — |rp < Depth{M*) < 

Depth{M); 

ii. there exists N G Lprinc(r) with Dp(r) — |r|^ < Depth[N) < Dp(r). 
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Proof For part i. consider a A-term M G Lprinc(r) with depth d > Dp(r) 
and without bound-variable clashes. Let ^( 0 ,ti) be the TApin-deduction of 
M : Ti constructed from the unique TA-deduction of i- M : t and let be the 
set of all binary pairs in It follows from Proposition 17 that for each 

type-variable a in t there is one equivalence class in containing exactly all 
indexed occurrences of a in and that all (indexed) arrows in Ti are marked in 
A (0 T-i). In the following we are going to construct a term of depth < Depth{M) 
which has (0, t) as a principal pair. It has been shown in [3] that d = Depth{M) 
is the maximum of the lengths of all the argument- branches in X. Thus M has 
at least one argument-branch with length d and in order to reduce the depth of 
M it is necessary to shrink all these branches. Let < Nq, . . Nd > be any such 
branch, with 



— Ax^p . . . Xi^rni ^ 0 )- 

Let 

Ti ^ Pi,mi — t Oi II 0 

be the node in that corresponds to iV^, for i = 0, . . ,,d. Thus, lAT(iVj) 

=< pi^i, . . . , pi^rrii >■ For i = 0, ...,d let Tj be the body of Aj, i.e. Bi = 
UiPi^i . . . Pi^m and let Psi Bi : Ub^ || 0 be the node in A( 0 _t-i) that corre- 
sponds to . Furthermore, let <Pi and Ij be respectively the set of binary pairs 
and of indexes of marked arrows in the subtree of Z \(0 with bottom formula 
Psi 1 -^^" Bi : Oh- II 0. Then, Ij C Xj_i and d>i C for i = 1, . . . , d. 

As in [3] we define a sequence of integers do, di, . . . , dn as follows: do = 0 and 
dj+i is the least i > dj such that IAT(A.) differs from all 

IAT(iV^^), . . . , IAT(iV^^. ). Obviously, one has n < d as well as 0 = do < 
di < . . . < d„ < d. Furthermore, for Q < i < d, IAT(AQ is identical to one of 
the n -I- 1 

IAT(A,J,...,IAT(iV,J, 

which are all distinct and by 24 are either empty or members of NSS(ti). Hence, 
by lemma 25 

n -I- 1 < 1 -I- #NSS(ti) < 1 -I- |t| - 1 = |r|. 

For i = 0, . . . , n define the following non-empty sets, called lAT-intervals, as 
follows: 

llj = {dj, dj + 1, . . . , djj^i — 1 } 0 <j<n — 1 

Hn — {dn^ dn 1 , . . . , d). 

If \\j contains two numbers p, p + r such that r > 1 and Bp and Bpj.^ have 
the same type (i.e. ab^ = ab^,^^), and Ip = Xp+r, we shall call 

< p,p r > a tail-repetition. It will be called minimal iff there is no other tail- 
repetition < p' , q' > with p < p' < q' < p + r. li follows that each lAT-interval 
II j without a tail-repetition must have < |r|^ members as well as r < |r|^. In 
fact, there are |r| distinct atoms in t±, there are at most |r| distinct equivalence 
classes corresponding to d>o I d>i I . . . I I>d (cf. Lemma 16), as well as at most 
|t| distinct sets of indexes among Xa X . . . D Zd (note that there are exactly |t| 
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arrows in Ti). Thus, if none of the n + 1 lAT-intervals contained a tail-repetition, 
then the branch would have < |t|^ members. But the branch has d-l- 1 members 
and 

d -I- 1 = Depth{M) -I- 1 > Dp(r) -I- 1 > |t|^. 

Hence at least one lAT-interval contains a tail-repetition. 

Now let llj be the last interval containing a minimal tail-repetition, say 
< p,p + r >. Suppose that t; is a variable that occurs free in Bp+r with type- 
assignment V : a G Since M is closed we conclude that v G IA(,Nq) U 

. . . U IA(AI^ I Furthermore, by the definition of lAT-intervals, a G lATfA^., ) 
for some q<j<p<p + r. Hence, there is some type-assignment v' : a G Fb ■ 

Now let be a term obtained from Bp+r by substituting all free variables 
V in Bp+r by some variable v' as above (possibly itself ii v : a € Fb^)- Finally let 
M' be obtained from M by replacing Bp by B'^_^^. Note that Fb^, F Fb^,^^, i.e. 
Fbj,^^ = Fbj, U Fr for some F^ with Fb^ C\ Fj. = % and such that no variable in 
Subjects(Fr) occurs in Bpj^^. Consider the subtree Ap+r of ^(0 ,ti) with bottom 
formula Fb^^^ Bp+r '■ || 0 . Let be obtained from Ap+r by 

substituting every term variable v by the corresponding v' G Subjects(FBp) 
and erasing in the bases of the formulae all type-assignments for variables in 
Subjects(Fr). Then Ap_^_^ has bottom formula Fb^ Bp_^_^ : || 0 . Now 

consider the tree obtained from by substituting its subtree with bottom 

formula Fb^, Bp || 0 by A'p_^^ and by substituting Bp in all nodes 

below by B'pj^^. Then, it is straightforward to prove, that the resulting tree A' 
is a TApin-deduction of M' : ti which corresponds to a TA-deduction of 
I- M' : T and such that for the set of binary pairs in A' one has C# = 
and all arrows marked in are also marked in A' . Thus, we conclude that 

M' is a principal long inhabitant of t. On the other hand, in a branch in M 
r < |Tp arguments have been removed. Thus d — |rp < Depth{M') < d. If 
Depth{M') < d let M* = M' . Otherwise, repeat shortening branches of length 
d until there are none left and define M* to be the first term produced by this 
procedure whose depth is less than d. Then d — |rp < Depth{M*) < d. For part 
a. it is sufficient to repeat i. and take the first output with depth < Dp(r). • 

Lemma 27 (Stretching Lemma). If Lprinc(r) has a member M with depth 
dp(r), then 

i. there exists M* G Lprinc(r) with Depth{M*) > Depth{M) + 1; 
ii. Lprinc(r) is infinite. 

Proof Part ii. follows from i. by repetition. The construction of M* in i. is 
identical to the one in [3] for the Stretching Lemma for Long(r) (not Lprinc(r)). 
Choose any argument branch < Nq, . . .,Nd > of length d = Depth{M) > |t| 
and, as in the proof of the Shrinking Lemma, let be the body of N_^ for 
i = 0, . . . , d. Let Fbi I- Bi : ab^ || 0 be the corresponding node in A(0 ^-i)- Since 
d -)- 1 > |r| = ||Ti||, there are Q<p<p + r<d such that Hp and Hp_|_^ 
have the same type a = ab^ = Define M* to be the result of replacing 

Hp_|_^ in M by a copy of Hp, after (to avoid clashes) changing the names of 
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the variables xi, . . . , Xm in this copy to x [, . . . , x'^, where {xi : ai , . . . , Xm ' 
c^m} = Subjects{rBj, \ Then M* has an argument branch with length 

d + r > d. In order to see that t is a principal type of M*, consider the tree 
Z\p_i_^ obtained from the subtree of Zi( 0 _T-i) with bottom formula Pb^ Bp : a || 0 
by first replacing in each node all occurrences of xi,...,Xm respectively by 
x[, . . . , x'^ and then adding {xi : ai, . . . , Xm '■ ctm} to the bases in all nodes. 
Note that Ap_^_j. has bottom formula Pb^^^ ^p+r : a || 0. Finally, let A' 
be the tree obtained from Z \(0 by replacing its subtree with bottom formula 
Psp+r- Bp+r : a II 0 by Ap_^_p. It is straightforward to see that A' is the 
TApi n-deduction corresponding to the TA-deduction of i- M* : r and that all 
binary pairs and marked arrows in Z \(0 occur in A' . Thus we conclude that 
M* e Lprinc(r). • 

Whenever t is a composite type, there is |r| > 2, thus 

dp(r) = |r| < \ t \'^ - |rp = Dp(r) - |rp < Dp(r). 

Hence, Theorem 10 follows as a Corollary. 
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Abstract. We present a non-standard type assignment system and sim- 
plifications mappings for detecting and removing useless-code in simply 
typed functional programs with algebraic datatypes and recursive func- 
tions. We characterize two classes of useless-code: the dead-code, that 
is code that is never executed under the lazy-call-by-name evaluation, 
and the rninimum-information-code, that is code that contributes to the 
computation only with a minimum amount of constant information. 



1 Introduction 

Useless-code analysis for functional programming languages has been mainly 
studied in the context of logical frameworks, like Coq [9] , to remove useless-code 
from functional programs extracted from formal proofs (see [12] for an intro- 
duction to the subject). In fact, programs extracted from proofs usually contain 
large parts that are useless for the computation of the final result and some 
sort of simplification is mandatory. To this aim various simplification techniques 
have been proposed in the last ten years (e.g. [16,1,5,2,6,8,3]). More in general 
useless-code elimination is worthwhile during compilation (see, for instance, [4]). 
Let us look at a couple of examples of useless-code detection and elimination. 

Example 1. Let M = {Xx'"^.3)P where P is a term of type int. Since x is never 
used in the body of the A-abstraction F = Ax'"*. 3, we have that the value of M 
can be computed without using P, which is therefore useless-code. In fact, in a 
lazy-call-by-name language (like Miranda, Haskell and Clean), M behaves like 
the term M' = (Ax'"*.3)d, where d is a place-holder for the useless-code removed. 
Note that it is indeed possible to simplify the useless-code in a more substantial 
way, i.e. by removing the useless pair (formal parameter x, actual parameter d) 
and replacing M with the body of the A-abstraction (the constant 3). 

In the following we will call dead-code the useless-code that, like P above, is 
never executed under the lazy-call-by-name evaluation strategy. The next (more 
complex) example introduces another class of useless-code, called minimum- 
information- code, that has been characterized by Berardi and Boerio in [3]. 
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Example 2 . Let intList = dataX.Nil [ Cons(int, X) be the datatype of the list of 
integers, and bool = dataX.True [ False be the datatype of booleans. 
Consider the term N = Xx'"^.GPA, where G : int — > intList — > int = 

Ay'"*.Az'"*'“'^*.casezof { Nil to Qi [ Cons(h,t) to Q2 } and A : intList = 
casei?of{ True to Cons(i?i,Li) [ False to Cons(i?2,L2) }, for some terms 
P, Qi, Q2, B, El, Li, E2 and ^2- It is easy to see that Qi is useless-code^, 
in particular dead-code, so it could be replaced by a place-holder d. Let z, h 
and t not occur in Q2, then we have that Ei, Li, E2, L2 are dead-code, and can 
therefore replaced by place-holders d'j^, d", d^, d^L Suppose also that the variable 
y does not occur in Q2, but only in Qi (that has been removed), then also P is 
dead-code and it can be replaced by a place-holder da. 

We have removed a lot of dead-code but, also after the above simplifications, 
in the term N there is other useless-code, since the subexpression A is an ex- 
ample of minimum-information- code: it contributes to the computation only by 
providing the Cons data-constructor of intList. Quoting from Berardi and Boe- 
rio [ 3 ] we say that the subexpression A is minimum-information-code since “we 
use only the first symbol of its output, and this first symbol is always the same”. 
Minimum-information-code can be simplified by exploiting the (minimum) in- 
formation that it provides. For the program N above this amounts to replacing 
the minimum-information-code A by the term A' = Cons(di, d2), which provides 
the same (minimum) information, and replacing the term G (which uses the 
minimum-information-code A) by the term G' = A 2 /'"*.Az"'*'“'^*.( 52 ! obtaining the 
simplified term N' = Aa;'"*.G"d3A'. 

Note that replacing A by A' may have changed the termination behav- 
iour of N (even w.r.t. the lazy-call-by-name evaluation strategy^): minimum- 
information-code is useless-code, but is not dead-code, and simplifying it may 
change the termination property of the program (i.e. it may happen that the 
simplified program converges while the original one diverges). 

Moreover after turning G to G' we have that A' is dead-code^ and it can 
be replaced by a place-holder d4. Note that A is not dead-code in N , but: by 
simplifying the minimum-information- code A in N (i.e. by turning G to G' and 
A to A' ) we have obtained a term N' containing new dead-code. By this second 
simplification step we obtain the term: N" = Ax'"*.G"d3d4, that does not contain 
useless-code (supposing that Q2 does not). 

Also in this case (as in Example 1 ) it is possible to simplify the term in a 
clever way by eliminating the place-holders for the dead-code removed. I.e. the 
application G'd3d4 can be replaced by the body, <52 of the function G'. After 
this last “cosmetic” simplification we obtain the term: N'" = Ax'"*. < 52 , which is 
significantly simpler than the original one. We remark that the transformation 



* Since A (the actual value of the formal parameter z) either diverges or converges to 
a term of the form Cons(A, L) (for some E,L), so Qi, which is the first branch of 
the case examining A, is never executed. 

^ Suppose that, for some values of the parameter x, the term B is divergent. 

® Remember that the variable z does not occur in Q2. 
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p int 

I P 
I M 

p data X.dci [ • • • [dcm 

dc ::= C(0i,...,0a) 



(integers) 

(functions) 

(datatypes) 

(datatype, m > 0, Con(dci) = Con{dcj) 
iff i = j, X bound in each dci) 
(data-clause, a > 0, each 
is either a type or the variable X) 



Fig. 1. PCFD types 



of N in N'" cannot be performed by (partially) evaluating the program N ^ since 
the value of the subexpression B may depend on the formal parameter x. 

In Section 2 of this paper we introduce the programming language we are 
dealing with and its operational semantics. Section 3 briefly shows how pro- 
gram properties can be represented by partial equivalence relations on a term 
model of the programming language. In Section 4 we describe the language of 
non-standard types (that we call evaluation types) and its semantics. Section 5 
presents an evaluation type assignment system and a program simplification 
based on the information provided by the evaluation types assigned to a pro- 
gram and to its subexpressions. Related work is considered in Section 6. 



2 The language PCFD 

In this section we introduce a simple functional programming language and 
its operational semantics. The acronym PCFD stands for “Programming Com- 
putable Functions with lazy algebraic Datatypes”, since this language is a di- 
alect of the language PCF [14] obtained by adding algebraic datatypes. For more 
details see, for instance, Pitts [13] and Gordon [10]. The set of PCFD types is 
defined assuming as ground type the set of integers, int. Types are ranged over by 
p, (T, T (with superscripts and subscript when necessary), and algebraic datatypes 
(datatypes in the following) are ranged over by p. 

Definition 1 (PCFD types). The language of types ( T ) is defined by the 
grammar in Fig. 1 where, in a datatype p = data X.dci| • • • [dc^, the type vari- 
able X is bound by the data-binder and, for each clause dcj = Ci(<0i,i; • • • ; O'*, a;); 
each <0i,i either a type p £ T or the type variable X representing the datatype 
being defined. The function Con(dc) is defined as: Con(C(<0i, • • • , ’O'a)) = C. 

Sometimes we will use, as meta-notation, parametrized definitions like list(Xi) = 
dataX.Nil [ Cons(Xi, X), and pair(Xi,X 2 ) = data X.Pair(Xi, X 2 ). For every 
type p,pi,p 2 £ T, list(p) £ T and pair(pi,p 2 ) S T are the types “list of p 
elements” and “pair having a pi as first element and a p 2 as second element”, 
respectively. We remark that in our language it is not possible to define polymor- 
phic type constructors like list(Xi) above: type parameters are only a convenient 
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(Var) : p (Con) 



/ . M : p^ a h N p 
hvWA/ :a 



/ , r\ h M : a 

^ XxrM -p^a 

,-r, ^ ^ h Pi : (Ji • • • \- Pai-CFai 

(Datai<,<^) hCr(Pi,...,PaJ :m 
where /r = data X.Ci(<0i,i , . . . , Oi, ai) D---DC^(0 m,l ; • ■ ■ ; ) 

^ p, if Oi., = X 



w ^ 1 _ / M, if Oi,j = -’f 



(Case) hP:/r hQi:r ••• h Qm ■ t 

^ h casePof {Ci(a;i,i, . . . ,a;i,ai) to Qi [J • • • [J Cm(®m,i, • • • ,Xm,a^) to Qm} : r 

where m > l,Vi £ {!,..., m} the variables Xi ,\ , . . . , are distinct, 

P — data X .Ci(^i,i, . . . ,Oi,ai) [] ■ ■ ■ [] ^Tn(^m,i ^ ^ ^m,am ) ^ and 

Vi e m}, the program variables Xip , • • • , Xi^ai 

• have the types specified by the data-clause Ci(C>i,i, . . . , <0i,i„) 

• may occur free in Qi 

• are bound by the left-hand-side of the case-clause Ci{xip, . . . ,Xi^ai) to Qt 



Fig. 2. Rules for PCFD term formation (system hx) 



notation, and we need a separate definition for each particular instance of the 
parameter. 

PCFD terms are defined from a set of typed term constants {K. = {0'"*, 

Y int pair(int,int)— >int _|_ pair(int,int)— >int pair(int,int)— >bool ^ pair(int,int)— >^bool 

...,’notb°°i^booi^ andP"'^(b°°i’b°°i)^booi^ O^pair(booi,booi)^booi|^ ranged over by k)’ 

including the usual operations involving the datatype of booleans, 
bool = dataX.True [ False, and a set V of typed term variables (ranged over 
by x^, . . .). PCFD terms, ranged over by M, N, . . are defined as follows. 

Definition 2 (PCFD terms). We write hx M : p, and say that M is a term 
of type p, if V M : p is derivable by the rules in Fig. 2. 

Let At be the set of PCFD terms, i.e. At = {M \ Vt M : p for some type p}, 
and A^ be the set of the closed terms, i.e. A^ = {M \ M € At and FV (M) = 0}. 
The process of evaluating a program is specified in a standard way by giving 
a structural operational semantics (see [15,11]) in the form of an inductively 
defined evaluation relation, M K, where M is a closed term and RT is a closed 
term in weak head normal form (w.h.n.f.), i.e. an element of the set of values 
Vx = /C U {AiCiV I XxP.N € A^t,} U {C'^(Pi, ...,Pa)P\ C'^(Pi, ...,PaY € 

We assume that any functional constant has a type of the shape either pi 
P 2 or pair(pi,p2) ^ Ps, for some pi,p 2 ,Ps S {int, bool}. So the meaning of a 
functional constant k can be given by a set mean(k) of pairs, i.e. if (RTi, K 2 ) € 
mean(k) then kRTi evaluates to K 2 - For example (True, False) £ mean(not) and 
(Pair(l, 3), 4) G mean(-l-). 
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M\x := fixa;.Ml ij. K Mi}. Xx.P P\x ■.= N] i}. K 

f\xx.Mi}.K MN i}.K 



(XlAPPi 




(XiAPPa) 



Ni}.{Ni,N2) Nii}.Ki N2i}.K2 

MN i}.K3 



(Pair(Jsri, K 2 ), Ks) £ mean(k) 




Fig. 3. “Natural semantics” evaluation rules 



Definition 3 (Evaluation relation). Let M S A^. We write M i}. K, and 

say that M evaluates to K , if this statement is derivable by the rules in Fig. 3. 

Let M JJ-, to be read “M is convergent”, mean that, for some AT, M JJ. AT, 
and let M f[-, to be read “M is divergent”, mean that, for no K , M itf K . For 
every type p G T, let ±p = fixx'’.a;. It is easy to check that ±p fl, i.e. ±p is the 
“typical” divergent compntation of type p. 

Following [13] we introduce the ground contextual equivalence on PCFD 
terms, which is the congrnence on terms indnced by the contextual preorder 
that compares the termination behaviour of programs just at the ground type 
int. This amounts to assuming that complete PCFD programs are closed terms 
of type int, and that the only observable behaviour of a complete program P 
is its divergence or convergence to some integer number. Let (C[ denote a 
typed context of type a with a hole of type p in it. 

Definition 4 (Ground contextual equivalence). Let M and N be terms of 
type p. Define M N whenever, for all closed contexts (C[ ]'’)'"*, if C[M] 

and C[N] are closed terms, then C[M] JJ. implies C[N] JJ-. The relation is 

the ground contextual preorder and the equivalence induced by , denoted by 
— obs ’ ground observational equivalence. 

The closed term model of PCFD is defined by interpreting each type 

p as the set of the equivalence classes of the relation — on the closed terms 
of type p in A^. Let I(p) denote the interpretation of type p in this model, and 
let [M] denote the equivalence class of the closed term M . An environment is 
a mapping e : V Upex which respects types, i.e. a mapping such that, 
for all , e(x^) € I(p)- The interpretation of a term M in an environment e 
is defined in a standard way by: = [M[x\ := Ni , . . . , a;„ := An]], where 

{xi, . . . , Xn} = FV(M) and [Ni] = e{xi) (1 < i < n). 

3 Partial equivalence relations as program properties 

The language of program properties L (introduced in Section 4 as a language 
of non-standard types over T) which is at the basis of the program analysis 
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and transformation techniques proposed in this paper, will be interpreted as a 
subset of the partial equivalence relations^ over the interpretation, I(p), of the 
types p G T in the closed term model Let “p.e.r. over a type p” mean 

“p.e.r. over I(p)” . The following definition formally explains what is meant by 
“a term P of type p satisfies the property (p.e.r.) Ti over p”. 

Definition 5 {P satisfies TV). Let TZ,TZi, . . .,TZn {n > 0) be p.e.r. over types 
p, pi,...,p„, respectively. We say that a term P of type p with free variables 
Xi^ . . . , *0" satisfies the property TZ under the assumptions TZi for xf’ (1 < i < 
n) if, for all the environments e and e' such that {e{x^'),e'{x^')) S TZi, we have 
that (iMi, [Mi ) e TZ. 

For every type p £ T, the diagonal p.e.r. over I(p), Z\'"* = {([M], [M]) | [M] G 
I(int)}, which equates each element of I(p) with only itself, can be seen as the 
property satisfied by any term P of type p whose value (under some assump- 
tion on the free variables of the term) matters (it can be used). Note that any 
closed term M of type p satisfies this property. The trivial p.e.r. over I(p), 
f 2 P = {([M],[A^]) I £ I(p)}, which equates all the elements of I(p), 

can be seen as the “true” property (satisfied by every term of type p) giving no 
information about the use of the term. 

Given a p.e.r. TZi over pi and a p.e.r. TZ2 over p2, let TZi^TZ2 be the p.e.r. 
over Pi p2 defined as: TZi^TZ2 = {([F],[G]) | V([M],[A^]) £ 

TZi.{[FM], [GA^]) £ TZ2}. The intuition behind this definition is that TZi^TZ2 
is the property of the programs F such that, for every program M having the 
property TZi, the program FM has the property TZ2. For instance 17'"* Z\'"* is 

the property (satisfied by all the closed terms of type int int which represent, 
necessarily constant, functions which do not use their argument) which says that 
the application of the function can be used without using the argument. 

The set-theoretic inclusion between p.e.r.s over a type p represents a logi- 
cal implication between properties, i.e., if TZi C TZ2 and a program P has the 
property TZi , then P has also the property TZ2 . 

4 Evaluation types 

In this section we introduce a language of non-standard types over T, the lan- 
guage of the evaluation types {e-types for short), which is the basis for the pro- 
gram analyses and transformations technique proposed in this paper. 

Let 4 > range over e-types and <(>'’ range over e-types with underlying type p 
(i.e. expressing properties of terms of type p). In the following we will often 
omit the superscript p when it is either not relevant or clear from the context. 
There are two e-types denoting properties for terms of type int: c5'"*, which is 
the property of the terms of type int such that their value can be used, and w'"*, 
which is the “true” property, satisfied by every term of type int. 

A partial equivalence relation {p.e.r. for short) over a set A is a symmetric and 

transitive binary relation over A. 
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V>o = V’l = data X.Nil® |] Cons®(int, X) 

V>2 = data X.Nil® |] Cons^(<5'''‘, X) ip3 = data X.Nil® [ Cons^(w'''‘, X) 

V>4 = dataX.Nil® j Cons^^r*, i/'s = dataX.Nil® j Cons^lw'"*, 

plus the 5 e-types (say 'i/)i , . . . , ^5) obtained from ^1 , . . . , ^5 by replacing Nil^ with Nil^ 

Fig. 4. The 11 e-types for terms of type list(int) 



Others e-types are built following the standard type constrnction. Given 
two e-types (pi and (f)2 the e-type (pi p2 says that the application of the 
fnnction to every argnment of e-type pi has e-type p2- Given a datatype /r = 
dataX.Ci(Oi,i,...,Oi,ai) 1-"1 Cm(<>m,i , • • • , <>m,a„) the e-type w'" is the 
“trne” property, satisfied by every term of type fi. There also e- types that provide 
information about which constructors of the datatype may be used: two construc- 
tor annotations, d and I (ranged over by u, v), are introdnced to represent the 
fact that a datatype constructor is dead (i.e. it is not used) or is live (i.e. it may he 
used), respectively. In particnlar the syntax of the e- types different from uj^ is 
as follows: pf^ = data 1 • • • 1 

where for alH £ {1, . . . , m} and for all j £ {1, . . . , a,} 

{ either X or uj^, if = £ and 0 ,^ = X 
an e-type p^^'^ , \ivn= I and 0, j £ T 
Oi,j, if Ui = a . 

If a term Q of type fi has the e-type p^ above, then the constrnctors having an- 
notation d are not used while those having annotation i may be used (with argu- 
ments having the specified e- types). For instance there are 11 
e-types (listed in Fig. 4 ) for the type list(int). The “typical” terms having 
e-types pi, p[, and p5 are Nil, and Cons(A^, M) (for any N : int 

and M : list(int)), respectively. Cons{N, M) is also the “typical” term of e-type 
p4. Moreover has every e-type of list(int), while Nil has none of 

the e-types pi ,. . .,^5, and Cons{N, M) has neither e-type pi nor p[. Both the 
e- types p2 and pz specify that the constructor Nil is not nsed while the sec- 
ond component of the constrnctor Cons (which may be nsed) has (recursively) 
the same e-type, so the “typical” terms having such e-types are of the form 
Cons(A^i, Cons(Al^ 2 , • • ■ Cons(Ap, fixa;''^*^'"*).*) • • •)), for some A^i,. . .,Np {p > 0). 

We remark that the e-type syntax (see Definition 6 below) has been designed 
in such a way that (syntactically) different e- types denote (w.r.t. the semantics in 
Definition 7 ) different p.e.r.s. This observation jnstifies some choices that might 
appear qnite arbitrary, e.g. not having e-types of the form where p p- int, and 
of the form p ^ (for any e-type p and type a). Each e-type p^ is interpreted 
as a p.e.r., [[pj, over I(p) (see Section 3 ). 

Definition 6 (Evalnation types). The language of the e-types, L, is defined 
by: L = UpgTL(p), where the sets L(p) are defined by the rules in Fig. 5. 

Definition 7 (Semantics of e-types). The semantic function [[•]] which maps 
e-types p^ to p.e.r.s over l{p) is defined by the clauses in Fig. 6. 
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(S) e L(int) (uj) ojP e L(p) 



(^) 



4> e L(p) ij) e L((j) 

4> ^ tp € L(p — )■ a) 






(data) 



r {X,u>^}, ifu, and Oi,j 

Vi e {1, . . . ,m}.Vj e {1, . . . £ < L(0i,j), if Ui = £ and Oi,j £ T 

ifui=a 

dataX.Ci^n^i.i, • ■ ■ , ♦i.aj | • • • | e L(m) 

where /r = data X.Ci(<0i,i , . • . , Oi, aj D---DC^(0 



Fig. 5. Evaluation types 



la;''! = 12" 

[<;!>—>■ i/)| = where ip is not an o>-e-type 

I^'"l = Up>o '^h®re 

= data X.Ci“i (<!»i,i , . . . , J n • • • n , . . . , ^m,a ^ ) 






{([fix®''.® 



[fix®''.®])} 



F U Uie{l<i<m and Ui=£} { ( [^» (-^*.1 > ' ’ ' 

Vj e {1, . . . , ai}.([Pi,j], [Qi,i]) £ 



[Ci(Qi,l, . . . , Qi,ai)]) \ 

I<^T, 

if^,,, eL ^ 



Fig. 6. Evaluation types semantics 



According to the e-type semantics (Definition 7) an e-type ujP denotes the trivial 
p.e.r. flP. Others “special” e-types are the (5-e-types: a 5-e-type (p^ £h denotes 
the diagonal p.e.r. A^. 



Definition 8 (loi-e-types and 5-e-types). Let the oj-e-types he the e-types in 
the set = jio;'’ I P e T}. The set of the 5-e-types (h^) is the subset of the 
e-types which do not contain subexpressions of the form uj^ (for some p ) and do 
not contain the annotation d. For every type p £T, let 5{p) be the corresponding 
unique 5 -e-type^. 

Two other subclasses of e-types which are useful for program simplification 
are the 5-e-datatypes that characterize datatypes in which no constructor is 
used (and which are therefore, according to Definition 7®, ground observational 
equivalent to a divergent computation) , and the .^1-e-datatypes that characterize 



® It is immediate to see that for every type p £ T there is exactly one 5-e-type . For 
instance 5(list(int)) is the e-type ip 2 in Fig. 4. 

® Since an d-e-datatype denotes the singleton p.e.r. [[(()''| = {([±^[, [T^])}. 
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(Ref) 4><4> V < ojf’ 



(^) 



(j>l <(j>2 V’l < 1p2 
(p2 ^ 1pl < (pi ^ 1p2 



tp2 0 L„ 



(data) 

where 



Vi e {h I 1 < h < m and Uh = ^}.Vj £ {1, . . . ^ Jluj 



(t>i^ = dataX.Ci“i(<!‘i,i 

= data^.C^n* *!,! 



<|k r< J|fc is short for: 



(^m,l ; 
(*J*m,l ; 



♦l,ai) II ■ ■ ■ II C„ 

•(•l.ai) II • • • II C„ 

Vi e {1, ... , m}.(ui — d or Vi = £) 

if<H = X 

J|fc £ L and <|k < J|fc, if <|k £ L 



; ^m,a„ 
7 ^m,a„ 



) 

) 



Fig. 7. Entailment rules for e- types (system <) 



datatypes in which only one constructor is used and its arguments are not used 
(i.e. they characterize the minimum-information-code^). 

Definition 9 (5-e-datatypes and £l-e-datatypes). The set of the d-e-data- 
types, Lg, is the set of the e-types of the form: 

data X.Ci^(^l_l, . . . , l'''l • • • ; where m > 0. For 

every datatype n, let d{n) be the corresponding unique d -e- datatype^ . 

The set of the il-e- datatypes, L^i, is the set of the e-types of the form: 
dataX.Ci'"^(4i,i,...,4i,ai) l'"l (4m,i , • • • , whcrc m > 1 and 

there exists i £ {1, . . . , m} such that = I, . . . , <|ki,ai £ and j ^ i 
implies u^ = d. For every datatype fi with m > 1 data- constructors, let 
be the corresponding unique il-e-datatype in which the data- constructor C is the 
live one^ . 

We conclude this section by introducing an entailment relation between e- 
types, <. This relation models the set-theoretic inclusion between the interpre- 
tation of e-types, and so it represents the logical implication between properties. 

Definition 10 (Entailment relation <). Let (j),if £ L. We write (j) < if 
to mean that cf < ip is derivable by the rules in Fig. 1. By = we denote the 
equivalence relation induced by <. 

Note that < is reflexive and transitive. Moreover, for any type p £ T, (L(p), <) is 
a complete lattice with top and bottom (inductively defined by: 6'"* = 

= u}'^ ^ b'^ , and = 5(p)). For instance the lattice (L(list(int)), <) (whose 
elements are the 11 e-types listed in Fig. 4) is showed in Fig. 8. 

Theorem 1 (Soundness <). <f <if implies |[(?i]] C |[^/’]]. 



Since an £l-e-datatype denotes the p.e.r. (with exactly two classes): 

[<^'^1 = {([TJ,[1J)} U {(|C(Mi,...,M„)],[C(iVi,...,iV„)]) I C{Mi,...,Ma), 
C{Ni, . . . ,Na) £ I(m)}, where C is the unique five constructor of g. 

* For instance d(list(int)) is the e-type ipi in Fig. 4. 

® For instance £lNii(list(int)) and £lcons(list(int)) are the e-types ip'-i and ip^ in Fig. 4. 
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Fig. 8. The lattice (L(list(int)), <) 



5 Detecting and removing nseless-code 

In this section we first introduce an e-type assignment system for detecting 
dead-code and minimum-information-code in PCFD programs, then we present 
simplification mappings for removing from a program the useless-code that can 
be detected with the e-type assignment system. 



5.1 An e-type assignment system for detecting useless-code 

If is a term variable of type p, an assumption for is an expression of the 
shape x^ : oi x : (j)^ for short. A basis is a set S of e-types assumptions for 

term variables. E-types are assigned to PCFD terms by a set of inference rules 
for judgments of the form S Pl where is a decorated term, i.e., it has 
written in it (some of) the e-types assigned to its subterms. Such a decorated 
term can then be processed by a transformation procedure (like those described 
in Section 5.2) that simplifies programs according to the information supplied 
by the e-types. For any e-type 4> £ L(p) let e{4>) denote the underlying type, p, 
of (j), and for any decorated term define e(M‘^) as the term obtained from 
by erasing all the e-type decorations. For each constant k a finite non-empty 
subset of e-types, L(k), is specified: for all integers n, L(n) = {5'"*}; for any 
binary operator Qpa"'(i"t,int)^mt^ L(©) = {5(pair(int, int) the constants 

involving the boolean datatype have more than one (non lo-) e-type, see Fig. 9. 
For instance the 4 e- types associated to not say that: if the result can be used 
then also the argument can be used, if in the argument the constructor True is 
£ive and the constructor False is 9ead then in the result False is ^ive and True is 
5ead (and vice versa), and if the argument diverges then also the result diverges. 



Definition 11 (E-type assignment system Fl)- A 'ri^-typing statement is 
an expression S Fl where S is a basis containing an assumption for each 
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Let = dataX.True^JFalse®, = dataX.True^JFalse^ and, for any (jtjijj £ L, 
pair(</>, i/)) = data X.Pa\r^{(f),ip). Then (for any binary operator 
L(0) = {(5(pair(int, int)) — > (5(bool), 9(pair(int, int)) — >■ 3(bool)}. 

L(not) = {(5(bool) ^ J(bool), ^ ^ a(bool) ^ a(bool)} 

L(and) = {pair(t'=°°',t'=°°') ^ pair(flii, f *=°°') ^ pair(f <(. 2 ) ^ 

9(pair(bool, bool)) — >■ 5(bool), pair(3(bool), ^/>) — >■ 3(bool), pair(i/), 5(bool)) — >■ cl(bool), 
pair((;6i, </> 2 ) 5(bool) | f '’°°'} and V’ G L(bool)} 

L(or) = {pair(f*=°°',f^°°') ^ pair(flii, t'=°°') ^ pair(t^°°', </> 2 ) ^ 

9(pair(bool, bool)) — ^ cl(bool), pair(9(bool), ?/)) — >■ 9(bool), pair(i/i, 5(bool)) — > 5(bool), 
pair)^!, (P 2 ) (?(bool) | ((>i, <(>2 £ and j} g L(bool)} 



Fig. 9. E-types of the PCFD constants 



free variable of M , and M‘^ is a decorated version of M . S,x : f) denotes the 
basis SU {x : ijj} where it is assumed that x does not appear in S. By S Fl 
we mean that S h M‘^ can be derived by the rules in Fig. 10. 

To state the soundness of the e-type assignment system Fl w.r.t. Definitions 7 
and 5 we introduce the following definition. 

Definition 12. Two environments ei, e-i are B -related if, for all x'^ £ B, 
(ei{x), e 2 {x)) £ [[^J. Let B Fl and B Fl N‘^ . We write e{M^) e{N^) to 

mean that for all ei, € 2 , if &i, 62 are B-related, then ([[e(M'^)]]g^ , [[e(A^‘^)]]e 2 ) ^ 

W- 

Theorem 2 (Soundness of Fl). Let B Fl Then e(M-^) e(M>^). 

5.2 Useless-code elimination 

In this section we first introduce a dead-code elimination mapping O that takes 
a FL-decorated term and returns a simplified version of it in which the dead- 
code shown by the e-type decorations has been replaced by “dummy variables” . 
Then we show how the simplification mapping O can be extended to a mapping 
O' which removes also the minumum-information-code. 

For each type p, let d'’, d(*, d^, . . be dummy variables of type p. We re- 
mark that dummy variables are not present in the original programs: they are 
introduced by the dead-code elimination mapping O as place-holders for the 
dead-code removed. So in the following we assume that all the occurrences of 
dummy variables in a program are free (i.e. there are no bound dummy vari- 
ables) and distinct (i.e. each dummy variable occurs at most once in a program). 
For every term M, let DV(M) be the set of the dummy variables in M. Let 
be the set of FL-decorated PCFD terms, i.e., = {M‘l‘ \ B Fl for some 

e-type <f) and basis B}. 

Definition 13 (Simplification mapping O). The function O : 
is defined by the clauses in Fig. 11, where the occurrences of “d” in the second 
and in the last row denote fresh dummy variables of the proper type. If B is a 
basis then define 0{B) = : y | x : y £ U and x ^ L,^}. 
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. , r D FV(M) hx M : p 

H 



(Fix) M ^ 0 g 

rh (fixx-^.M)^ 



(Var) „ p V- 0 Lc. (Con) T F k^ ^ e L(k) 

■ oc • (ly I 3/ 



(^i) 



V> 0 L„ (^ E) 



E,x ■. <l>\- 
E h [\x.mY~^'*’ 

(Datai ) 



E h r h 



r h {MN'^’f 
rhPi’^i ... x'hPa>“ 






rh(c,(Pi,...,p.j)^" 
where (?i'" = data X.Ci^^ (<|»i,i , . . . , <!»i,ai) |] • • • |] Cm"™ (<!»m,i , . . . , <!»m,a„), Ui = £, 

andVje{l,...,a,}.V>. = |^^^^.^ if £ L 

Vie{l,...,m}. hxQ* :r 

Vi e {/i I 1 < /i < m and Ui ^ €\.EVJ {xi^i : tpi^i ,... , Xi^ai ■ '^i,ai } ^ Qi^ 

E h (caseP"^^ of {cci [ • • • [ cc^})^ 

where m > 1, 

=dataX.Cpi(<!‘i,i.---,<!‘i,ai) D • • • D (<|»^,i, . . . , ), 

Vi e {h I 1 < h < m and Ui = ^}.Vj £{!,..., ai}.tpij = | ^ ’ ?! ^ ^ 

^ ^i,j ? ^ 

, w. ^ r, 1 f Ci(a;i,i, . . . ,a;i,aj to Qi, if Ui = £ 

and Vi e {1, . . . ,m}.cci = ^ . 

I Ci(®i,i, . . . ,a;i,aj to e(Qf ), if Ui = 9 



(Case) 



Fig. 10. Rules for e-type assignment (system Fl) 



We have immediately that if E Fl M‘^ then 0{E) C S and E' Fl 0{M’^), 
where E' = 0(i7) U {d°’ : | d°’ £ DV(e(0(M'^))}. Moreover we have that the 

simplification mapping is correct w.r.t. the e-type semantics, i.e., if E Fl 
then e{M^) e{0{M^)) (where 17' = 17 U {d'" : w'" | d'" £ DV(e(0(M-^)))}). 

In order to use the simplification mapping O to simplify terms while preserv- 
ing their meaning (w.r.t. Al®"'^) we identify a subset of FL-typings (that we call 
faithful) for which the relation implies the — relation^'*. 

Definition 14 (Faithfnl FL-typing). E Fl is a faithful 'r-L-type assign- 
ment statement if 4> £ L^, and for all x : ip £ E , ip £ Jjg U L,^. 

The proof that the simplifications performed by the mapping O on faithfully 
decorated terms preserve — relies on the fact that, for all faithful FL-typings 
i7 Fl and 17 Fl e(M>^) e{N^) implies e(M>^) e(Af-^). 

A faithful Fx-typing simply says that the term can be used (it has e-type £ La) and 
that any of its free variables is either used (it has e-type £ La) or not used at all (it 
has e-type £ L,.,). 
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= {o{M , , where 

1. o(M, 'i/j) = d, iitpG'Lui 

2. o{M,ip) = fixa;’^.®, if £ La 

3. Otherwise: 

o(k,'i/)) = k o{x,iIj) = X o{MN'^,'ip) — o{M,(f> ^ 'ip){o{N,(f)))'^ 



o{Xx.M, ijji — ^ ip 2 ) = Xx.o{M, ip 2 ) 



o(fixa;'^.M, iji) 



o{M, tp) ii 4> £ L„ 

f'wx'^ .o{M,tp) \i (p = %p 



o(C,(Pl, . . . , Pa,), r) = Q(o(Pl, V^l), . . . , o{Pa„^Pa,)) 
where cp'^ = dataX.dCj^ II ' ' ' II dc^^, dc“* = Ci{4ti,i 



, ^i,a, ), 



and Vj e {1, . . . ,ai}.ipj = 



r if = X 

if ^i,j ^ L 



o(caseP'^*^ of {cci |] |]ccm},x) = ftx-x^.x if £ La 

o(caseP'i’^ of {cci |] • • • |] ccm},x) = case o(P, of {cci |] • • • |] cc^} 

where <p^ = data X.dCj^ II ’ ’ ' II dc^ 0 La 



Vi £{!,.. 


. ,m}.dc“* = 




• ■ 1 ^i,ai ) 




CCi = 




7 ^i,ai ) to Qi 




rr' — 


r Ci , . 


:..,Xi,ai)too{Qi,x) 




CC^ — 


^ Ci (3^1,1 , . 


. . ,Xi,ai) to d ifui = d 



Fig. 11. Dead-code simplification mapping O 



Theorem 3 (O on faithful pL-typings preserves — o^g). Let X El be 

a faithful \—L-typing. Then e{M^) — qJJs e{0(M^)). 

We now introduce the improved mapping, O', which performs more simpli- 
fications than O. In general O' does not preserve the meaning (w.r.t. 
of terms since it may give simplified terms which are strictly observationally 
greater than the original ones (see Example 2). 

Definition 15 (Simplification mapping O'). The function O' : 
is defined exactly as the function O (see Definition 13) with the exception that 
we add to the last clause for the mapping o(-, •) in Fig. 11 the condition (p^ ^ 
L^i, and we add also the following two clauses for simplifying the minimum- 
information-code. 

Between the clauses 2 and 3: 

2'. o(M,^) = Q(dw,...,d"“0, 

if Ip is the -datatype AztSi X.Aci \ ■■■ [ C| (w'’D • • • ; 1 1 . 

As last clause: 

o(caseP'^'" of {cci 1 • • • 1 cc^},x) = o(Qi,x) , 

where (p^ is the ^Ic^-datatype data X.dcf | • • • | Cf (w'’^ , . . . , ) [ • • • [ dc^ 

and ccj = Q{xi^i, . . . , Xi^a,) to Qi. 
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Theorem 4 (O' on faithful hL-typings). Let S Fl be a faithful Fl- 
typing. Then e{M‘^) e(0'(MF)). 

Note that when dealing with terminating programs (like programs extracted 
from proofs) or with programs that are trusted to terminate (as well written 
pure functional programs should be) we have that the simplified programs are 
(or are trusted to be) ground observationally equivalent to the original ones. 

Using the same technique of [6] (see also [7] Chapter 7) we can prove that for 
every PCFD term M there is a faithful FL-typing (see Definition 14) showing 
all the useless-code that can be proved by system Fl- In this way we can also 
provide a complete (w.r.t. the system Fl) useless-code detection algorithm. Note 
that, since useless-code elimination may “rise” new useless-code (see Example 2), 
we have to apply the detection algorithm and the simplification mapping O' 
repeatedly, until no new useless-code is discovered. 



6 Related work 

The class of useless-code characterized in this paper strictly includes the useless- 
code characterized by the technique presented by Berardi an Boerio in [3]. 
The extra power is due to the use of subtyping (not used in [3]). For a dis- 
cussion about the power gained by adding the e-type entailment relation we 
refer to [2] and [5] Chapter 4 (where a dead-code analysis with type entail- 
ment for a simply typed A-calculus is presented), see also [6] and [7] Chap- 
ter 7 (where a constraint-based inference algorithm for the analysis of [2] is 
presented). We remark that in presence of datatypes the advantage of hav- 
ing the e-type entailment relation is even greater. Take for instance the term 
P = (Az''. • ■ • (case B of { True to z | False to €,(••■) }) • ■ -)(5, where the 

case-expression is not useless-code. Suppose that we can assign to Q an e-type 
in which the constructor Ci is 5ead. If we try to assign an e-type to P without 
using entailment, we are forced to assign to every (non-dead) occurrence of z in 
P (and also to Q) an e-type (f>i in which Ci is five^^. By using entailment, in- 
stead, we can assign such an e-type (pi to the occurrence of z in the True branch 
of the case-expression, but we can assign e-types (f>^ , (f> 2 , 4>3 ^ ... in which Ci is 
9ead to Q and to the other occurrences of z in P, respectively (provided that 
4)^ < (fl, (f^ <(t>2, ■■ ■)■ 

Besides the use of the e-type entailment relation, the main differences be- 
tween our approach and that of [3] are in the programming language considered 
and in the algorithm that finds the useless-code in a given term. The language 
considered in [3] is strongly normalizing and it can be seen as the language ob- 
tained from PCFD by removing the constructor fix and adding, for every type 
r S T, an operator it,- for primitive recursion over datatypes and from datatypes 
to every type. 

The algorithm described in [3] is a kind of “data flow” algorithm that analyzes 
a term by implicitly building a directed graph which represents the input-output 



Since live branches of a case-expression must have the same (non-o;) e-type. 
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relation between the subterms of a given term. The principal advantage of our 
constraint-based algorithm (not presented here, for lack of space) is that (as 
shown in [6] and [7] Chapter 7) it is compositional while that of [3] is not. 
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Abstract. I give a proof of the conjecture stated in [2] by R.Kerth : 
Every unsolvable A term has a decoration. 



1 Introduction 

In this paper I give a proof of the conjecture stated in [2] by R. Kerth : Every 
unsolvable A term has a decoration. 

Let t be unsolvable. Denote by tk the term obtained from t after k many 
steps of head reduction and by (d it) the term d applied to the sequence it 
of arguments. If t reduces to t' , say that a subterm d' of t' is a descendent (cf. 
definition 9) of a subterm d of t if it is a ’’copy” of d. 

A sequence {dk)keN of A terms is a decoration for (the computation of) t if 
there is a strictly increasing function / from N to N such that for every k : 

1. t/(fc) = "^(dfc vt) for some finite (non empty) sequence wt of A terms. 

2. dfc is solvable and dk+i is a descendent of some element of vt- 



Comments, notations and examples 

1. The definition of a decoration given above is exactly the one of [2] but, in 
fact, the hypothesis ”dfc is solvable” is useless since it is a consequence of the 
other hypothesis (cf the corollary 2 ) 

2. Let S = Xx {x x), I = Xx x, B = Xb Xf (/ (b b /)) and Y = {B B). Y is the 
Turing fixed point operator. 

3. Let t = {6 6). Then the constant sequence (d) is a decoration for t since t 
reduces by head reduction to t' = {6 6) and the first 6 in t' is a descendent 
of the second 6 in t. 

4. Let t = {B B I). Then the constant sequence {B) is a decoration for t since 
t reduces to itself (in 3 steps) and the first occurrence of B in this reduct is 
a descendent of the second occurence of B in t. 

5. Let wi = Xxyz (z x y), W2 = Xxyz {y (x {z x))),R = {wi I W2) and 
W3 = (w2 R)- Then, 

— t = {w2 R I W2) {R W3) (in 4 steps) 

— (i? W3) -» (w3 I W2) =t' (in 3 steps) 

— (w3 I W2) [w2 R I W2) = t (in 7 steps) 
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It is easy to check that W 2 , W 3 and R are solvable and that the descendent 
condition is satisfied. Thus the sequence [w 2 , R, W 3 , W 2 , R, W 3 , W 2 , ...] is a 
decoration for t. Note that t' is equal to t but t is written as W 2 applied to 3 
arguments whereas t' is written as W 3 applied to 2 arguments and thus the 
R in t' is not seen as an argument of the head term. 

6. Other examples can be found in [1]. 

The motivation (see [2]) of this conjecture is the following ; A model of A 
calculus is said to be sensible if all the unsolvable terms are equal in this model. 
It is not easy, in general, to check whether a given model of A calculus is sensible 
or not. In [I] , [3] R Kerth built an uncountable number of graph models with 
different equational theories but he was unable to prove they were sensible, 
because the usual argument of reducibility did not work in his models. He was 
able to show that his models had no critical sequences (a semantical notion he 
introduced) and he showed that a graph model without critical sequences is 
sensible ... if his conjecture is true. 

Thus, the constructions in [I] , [3] and the present paper show that there 
are uncountably many sensible distinct equational theories of continuous models 
(and similarly for the stable and strongly stable semantics) . 

Acknowledgements Rainer Kerth has read very carefully the first versions 
of this paper and suggested many improvements. Thanks, Rainer. 



2 The idea of the proof 

R. Kerth defines a decoration only for the head reduction of unsolvable terms, i.e. 
terms whose Bohm tree is _L. I define below a decoration for the computation (by 
left reduction) of any branch of a term t. A branch in t is either an infinite branch 
of its Bohm tree or a finite one finishing with _L, i.e. a branch in t corresponds 
to an infinite computation. I prove a more general result (The computation of 
any branch in any A term admits a decoration, cf. Theorem 1) but this general 
notion of decoration is necessary for the proof of even the restricted case. The 
idea of the proof is the following. 

1) Let a be a branch of t and 6 be a branch of a subterm u oit.l say that b is 
{t, a) useful if, intuitively (see the definition 10) the computation of the branch 
a of t ’’uses” all the nodes of addresses b \ i {i < lg{b)) of the Bohm tree of u. I 
first show that (cf the proposition 5) if a branch 6 of m is (t, a) useful and there is 
a decoration for (m, 6), then there is a decoration for (t, a). This is the reason for 
which it is necessary to extend the notion of decoration to solvable terms. The 
decoration of an unsolvable term t may ’’come from” a decoration of a solvable 
subterm u of t. 

2) Let t = {u r\ ... r„) and a be a branch in t. Say that a is created by the 
application of m to ri ... if neither in u nor in any ri there is a branch that is 
(t, a) useful. I also show (this is the key point of the proof, see the proposition 
6) that if the branch a in t = (m ri ... r„) is created by the application of u to 
ri ... r„, then t reduces to some t' = X (cj si ... Sm) for some si ... Sm and 
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- the occurrence of ri in t' is a descendent of the one in t. 

- the branch a in t' still is created by the application of r, to si ... Sm- 
Actually the proposition 6 is a bit more complicated because we have to deal 

with possible substitutions of the free variables. 

3) The theorem 1 is then proved by induction on the complexity of t. If t is in 
head normal form the result follows immediately from the induction hypothesis. 
Otherwise t = A {u ri ... r^) for some p> 1. If the branch a is not created by 
the application of u to ri ... r„, i.e. either in u or in some r, there is a branch 
that is {t, a) useful, the result follows from the induction hypothesis and the 
first point above. Otherwise, we get a decoration by using repeatedly the second 
point above. 

3 Definitions 

Definition 1. 1. Let A be the set of finite or infinite lists of elements of N* = 

N — {0}. A finite list is called an address. 

2. Let a, a’ be in A. a < a’ means that a is an initial segment of a’. For i 
<lg(a), a \ i denotes the restriction of a to its first i elements. 

3. The list a with i added at the beginning (resp at the end) will be denoted by 
[i :: a] (resp [a :: i]). The empty list is denoted by nil. 

To be able to prove results on substitutions I need some extension of A. This 
is closely related (and a bit more general) to the directed A calculus introduced 
in [4]. 

Definition 2. 1. A denotes the set of A terms. 

2. The set A' of terms is defined by the following grammar : 

A' = V \ L \ c(a, a) \ Xx A' \ (A' A') 

where 

(a) V is the set of variables 

(b) a substitution is a function from V to A' that is the identity except for a 
finite set (called its domain) of variables. 

(c) for every address a and every substitution, c{a,a) is a constant. 

3. A Bohm function is a partial function f : A {_L} U {{E, x,p) / E CV,E 
finite, X €V,p G N} which satisfies : 

(a) f(nil) is defined. 

(b) f([a :: if) is defined iff f(a) = (E, x, p) and i < p. 

(c) If f(a) = (E, X, p), f(a’) = (E’, x’, p’) and a a’ then E C\ E’ = %. 

Notations, conventions and comments 

— I adopt the Barendregt convention that variables are always named in such 
a way that there is no undesired capture and no confusion between different 
names. 

— A denotes a sequence (possibly empty) of abstractions and {t ) represents 
the term t applied to a sequence (possibly empty) of arguments. 
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— c(a, a) represents the subterm (at the address a, in the environment given 
by a) of the Bohm tree of some term u that will be substituted later on. 

— A Bohm function codes a Bohm tree in the following way : /(a) = {{xi, 

Xk},x,p) (resp ±) means that the node at the address a in the Bohm tree 
coded by / is Xxi...Xxk {x for some terms ti , tp (resp ± ). 

Definition 3. Let a, a' be substitutions and t be in A' . 

1. The free variables of t are defined by the usual rules and 

— ± has no free variables 

— x is a free variable of c(a, a) iff x is a free variable of a{y) for some y 
in the domain of a. 

2. The substitution aft) is defined by the usual rules and 

— a(c(a, t)) = c(a, a or) for every r and a. 

— o-(-L) = -L- 

Lemma 1. Every term in A' can be uniquely written as (i? T^) where R is 
either a variable or ± or (Xx u v) or c{a, a). 

Proof. By induction on the term. 

Definition 4. 1. Let t = ^ {R r\ ... rq) be in A' and f be a Bohm function. 

One step of f-reduction oft is defined as follows : 

— If R = X then t is in f-head normal form and t has no f-reduct. 

— If R = ± 

• If t = 1. then t is in f-head normal form and t has no f-reduct. 

• otherwise, the f-reduct of t is _L. 

— If R = (Xx u v) then the f-reduct of t is X (a{u) ri ... rq) where a(x) = 

V. 

— If R = c(a, a) 

• If f(a) = {{xi, ...,Xk}, X, p) then the f-reduct oft is 

X Xxj+i ... Xxk (a'{x) c([a :: l],a') ... c([a :: p],a') rj+i ... rq) 
where j =Min(k, q), a' = t o a and r is defined by r(xi) = r, for 1 

<i <j- 

• If f (a) = _L, then the f-reduct of t is _L. 

• If f (a) is not defined the f-reduct of t is not defined. 

2. t t' (resp t —»f t') means that V is the f-reduct of t (resp V is obtained 
from t by some, possibly zero, steps of f-reductions). 

Comments and conventions 

— An example of /-reduction is given after the definition 10. 

— If t is in A the /-reduction is the ordinary head reduction (/ is never used 
and thus can be anything). 

— If t is in A' and / ’’represents” the term u (see the definition 8) the /- 
reduction ” corresponds” to the (ordinary) head reduction of t' where 
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• t' is the term t where the constants c(a, a) have been replaced by the 
subterm of the Bohm tree of u at the address a in the environment a. 

• ” corresponds” means that the reduction is the same except that the part 
of the computation of t' that ” comes from” the computation of the node 
at the address a in the Bohm tree of u has been forgotten and is given 
by the ’’oracle” /. 

— I allow /(a) to be undefined in the definition of the /-reduction of t because 
I made no restrictions in the definition of A' . However the typical situation 
where the /-reduction is used is the following. Let t = {u he in A, f 
’’represents” u and t' = {c{nil,Id) T^). In this case the /-reduction will 
clearly always be defined. 

— Similarly, if t ’’comes from” a A term, since I only do head reductions the 
composition a' = t o a (in the case R = c(a, a)) in fact is a concatenation 
of substitutions (cf the definition 12 and the lemma 8) but I must allow also 
composition when I know nothing on t. 

— When t is in A, 1 will not write the symbol /. For example I will write t — » 
t' instead oi t t' and similarly for all the definitions in this section. For 
example hnf{t) instead of hnf{f, t) in the next definition. 

— The letters a, 6, c, ... are reserved for elements of H, the letters /, 5, ... for 
Bohm functions and the letters r, s,t, ... for terms in A'. This will avoid 
possible confusions. 



Definition 5. hnf{f,t) (the f-head normal form of t) is defined by 

1. — If some step of the f-reduction of t is undefined, then hnf{f,t) is not 

defined. 

— If t —»ft' for some term t’ in f-head normal form and t’ 7^ _L, then 
hnf{f, t) = t' . In this case t is said to be f-solvable. 

— If the f-reduction of t does not terminate or ift — »/ _L , then hnf{f, t) = 
_L. In this case t is said to be f-unsolvable. 



Definition 6. Let a be an address, t be in A' and f be a Bohm function 

1. a is f-accessible in t is defined by 

— nil is f-accessible in t 

— [i :: 1] is f-accessible in t iff hnf(f, t) = \ {x ti... t^), 1 < i < n and I is 
f-accessible in ti 

2. Let a be f-accessible in t. hnf{f,t, a) is defined by 

— hnf{f,t,nil) = hnf{f,t). 

— hnf{f,t, [i :: 1]) = hnf{f,U,l) where hnf{f,t) = ^ {x ti... tn) 

3. Let a be f-accessible in t. adr{f,t, a) is defined by 

— adr{f, t, nil) = t. 

— adr{f, t, [i :: /]) = adr{f, ti, 1) where hnf{f, t) = {x t\... tn) 
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Comments In the following t is assumed to be in A. 

— a is accessible in t iff the Bohm tree of t (denoted by BT{t)) has a node at 
the address a. 

— hnf{t, a) is the A term we get at the address a when the computation of the 
node at this address in BT{t) is terminated. 

— adr{t, a) is the A term we get at the beginning of the computation of the 
node at this address in BT(t). 



Definition 7. Let a be in A, t be in A' and f be a Bohm function. 

1. a is an f -branch in t iff 

— Vi < lg{a) a \ i is f-accessible in t. 

— if a is finite, then hnf{f, t,a) = _L 

2. Assume a is an f- branch in t and k he in N . Res{f, t, a, k) and Br{f, t, a, k) 
are defined by 

— Res{f, t, a,0) =t and Br{f, t, a,0) = a 

— If Res{f, t, a, k) is not an f-head normal form then Res{f, t, a, k 1) = 
the /- reduct of Res{f, t, a, k) and Br{f, t,a,k 1) = Br{f, t, a, k) 

— If Res{f,t, a, k) = X (x ti... tn) and a = [i :: 1] then Res{f,t, a, k-\-l) = 
ti and Br{f, t, a, k 1) = I 

— Otherwise Res{f, t, a, k) and Br{f, t, a, k) are undefined. 

3. t ~^f,a t' means that t’ = Res(f, t, a, k) for some k. 

Comments and examples In the following t is assumed to be in A. 

1. Res{t, a, k) is the term we get after k many steps in the computation of the 
branch a of BTit). 

2. If t' = Res{t, a, k) then a' = Br(t, a, k) is the branch of t' that has to be 
computed to finish the computation of the branch a of t. Thus, if t — »q t' 
and t' -»a t” then t -»a t” . 

3. Let t be in A. If t is unsolvable, then nil is the only accessible address (and 
the only branch) in t. 

4. Let t = {I Xx {x {S S))). Then hnf{t, nil) = Xx (x (S S)), adr(t, [1]) = (5 S) 
and hnf{t, [1]) = T. The only branch of t is [1]. 

5. hnf{Y, nil) = Xf (/ {B B /)). hnf{Y, [1, 1, ..., 1]) = {f {B B /)). The only 
branch of Y is 1°“ = [1, 1, ...]. 

6. Let w = Xxyz {z {y (x x y)) z) and t = (w w). 

- hnfit, nil) = Xyz {z {y {w w y)) z), 

- hnf{t, [1]) = {y {ww y)), 

- hnf{t, [2]) = z, 

- hnf{t, [1, 1]) = Xzi{zi {y {w w y)) zi) 

- a is accessible in t iff a = [1, 1, ..., 1] or a = [1, 1, ..., 1, 2]. The only branch 
oft is 1°“. 
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Definition 8. Let u be in A' and g be a Bohm function. 

1. ip{g, u) is the Bohm function f defined as follows 

- f(a) is defined iff a is g-accessihle in u. 

- f(a) = ({xi, ... , Xk},x,p) iff hnf{g,u,a) = Xxi ... Xxk {x ti ... tp) for 
some terms ti.^ ...,tp 

- f(a) = -L iff hnf{g, u, a) = _L. 

2. Let t be in A'. m] is the term obtained by replacing in t the occurrences 
of c(a, a) by a{adr{g, u, a)) for every a and a. 

Comment and example 

— Most of the time the previous definition will be used with m in yl and thus 
t[g, u\ also is in A and g is useless. In this case the function if> describes the 
nodes of BT{u). Remember (cf. the conventions after the definition 4) that, 
in this case, we ’’forget” the argument g i.e. we write if{u) and t[u\. However 
the more general definition is necessary to prove that (see the proposition 2) 
”to be useful” is a transitive notion. 

— Let / = 4>{Y). Since Y ^ Xx {x (x {x ... we have f{nil) = ({a:},a:, 1) and 
/([l,l,l...,l])=(0,x,l) 

Definition 9. Let t be in A'. 

1. The notion of subterm of t is defined as usual, with the following additional 
rule, u is a (strict) subterm of c{a,a) if u is a subterm of a{x) for some x. 

2. Let f be a Bohm function, b be f-accessible in t and t t' . 

— A subterm u’ of t’ is a residue of a subterm u of t if it is a ’’copy by 
fd-reduction” of u where, possibly, the free variables have been substituted, 
u’ is a descendent of u if it is a residue of u and the free variables have 
not been substituted. 

— The subterm u' = c{a' , a') of t’ is an immediate successor of the subterm 
u = c(a, a) of t if 

t ~^f,b ti = ^(c(a,r) T^) -^f t 2 = ^{t'{x) c{[a :: l],r') ... c([a :: 
p],t') r^) t' 

u’ is a residue of some element of the sequence c([a :: l],r') ... c([a :: 
p],t') int2 

the occurrence of c(a, r) in ti is a residue of u. 

3. The successor relation (between terms as c(a, a)) is the transitive closure of 
the immediate successor relation. 

Remark A more ” formal” definition of these notions (that are intuitively very 
clear) is rather tedious. For more details see [2]. It is clear that the notion of 
descendent given above is exactly the one in [2]. In particular, ii t = {d if') -»a 
{d' ^ ) and d' is a residne of some element of the sequence it then it is also a 
descendent of this element. 
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Definition 10. Let t, u be in A and assume that t = D(a{u)) for some context 
D and some substitution a. Let t’ = D{c{nil, a)) and f = Let a be a branch 

in t. 

1. Let b be an address accessible in u. b is (t, a) useful if, for some k, it and 
a, Res{f, t' , a,k) = ^ {c{b, cr) it). 

2. Let b be a branch in u. b is (t, a) useful if there is a sequence < ki, dj, 

>i<ig{b) such that, for every i, Res{f,t',a,ki) = A (c(6 f i,ai) vf) 
; moreover the occurrence of c(b \ i + l,(Ti+i) in Res[f,t',a,ki+i) is an 
immediate successor of the occurrence of c{b \ i, C7i) in Res{f, t' , a, ki). 

Remarks and examples 

— A context is a A term (not a A' term !) with some holes. As usnal, in a 
substitution in a context some variables may be captured. 

— It will be shown (see the proposition 1) that, with the notations of the 
previous definition, a is an /-branch in t' and thus the definition makes 
sense. 

— Most often, either a is the identity (i.e. m is a subterm of t) or D is an 
applicative context (i.e. t = (<t(m) T^)) but it is not always the case (see the 
proposition 6) and I thus need this general definition. In fact both cases are 
essentially the same since it is not difficult to prove the following fact. 

Let t = D{u) for some context D and a be a branch in t. Assume that the 
address nil in u is it, a) useful, then t — A (<t(u) T^) for some a which 
is the identity except on the free variables of u that are captured by the 
context D. 

— Let t = (Y I), t is unsolvable and thus nil is a branch in t. I°“ is a branch 
in Y. It is easy to check that I°“ is {t, nil) useful. 

— Note that a term t may have many subterms each of them has a branch that 
is {t, a) useful. For example, let t = (Yi F) {Y 2 F) where Yi = Y 2 = Y and 
F = XfXg {g /). The following reduction shows that the branch 1°° in Yi 
(and similarly for Y 2 ) is {t, nil) useful. 

Let / = ^jJ{Y) and t' = {c{nil,Id) F (Y F)). Remember that f{nil) = 
({x},x,I) and /([I, I, ..., Il) = (0,x,I). The /-reduction of t' is given by 
(where a{x) = F) ■. t' ^ {F c([I], ct) (Y F)) ^ {Y F c([ 1], a)) ^ 

(F (Y F) c([I], a)) ^ (c([l], a) (Y F)) ^ {F c([l, 1], a) (Y F)) - ... 

— Also note that, for an infinite branch b, being (t, a) useful is stronger that 

simply asking that for every / & f i is (t, a) useful. Let t = (Yi Ft Y 2 0) where 
Yi = Y 2 = Y , Ft = Xfnp (u n p {f n (s p))), u = Xnpa {n F {p F Xx a)), 
F = Xxy {y x), 0 = Xxy y and s = Xnfx (/ (n f x)). For every k, the 
address I^ is {t, nil) useful both in Y 2 and Yi. The branch 1°° of Yi is (t, nil) 
useful but the branch 1°° of Y 2 is not. The reason is the following : m is a 
term (given by Maurey) such that (u n p a) ^ a for every Church integers 
n > p. Since Y may be seen as an ” infinite” Church integer, (u Y k a) ^ a 
for every k and this computation ’’uses” the address l^of Y. It follows that, 
letting G = (Yi Ft), t = {G Y 2 0) ^ {G Y 2 I) {G Y 2 2) ... . It is easy to 
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see that, in this computation, the node at the address of Yi that is used 
for the reduction (G Y 2 k) ^ {G Y 2 k + 1) satisfies the descendent condition 
whereas, since the occurrence of Y 2 in {G Y 2 k + 1) is a ’’new” one, the node 
at the address 1^+^ of I 2 that is used in this reduction does not satisfy the 
condition. 

Definition 11. Let t be in A, a be a branch of t and (dn) a sequence of X 
terms, {dn) is a decoration for {t, a) if there is a strictly increasing sequence 
{kn) of integers and a sequence (Y^n) such that for every n > 0 

1 . Resit .j u, kjfj — A i^dn r^'j 

2. dn+i is the descendent of an element of fit 

3. dn is solvable. 

Theorem 1. Let t be in A and a be a branch in t. Then (t, a) has a decoration. 
Corollary 1. Every unsolvable A term has a decoration in the sense of [2]. 

4 Proof of the theorem 

4.1 Some lemmas on the f-reduction and nsefulness 

In this section I prove essentially two things : The notion of computation and 
the notion of usefulness are ’’transitive”. Moreover in both cases the notion of 
descendence is preserved by this transitivity. 

The first one (mainly the lemma 7) means that a computation (by left 
reduction) can be ’’partitioned” in the following way : Let u be a subterm 
of t. Get t' by replacing in t the subterm u by its Bohm tree. The compu- 
tation of a branch a of t is the same as the computation of the branch a 
of t' where, when a node of BT{u) appears in head position, the computa- 
tion of this node is ’’inserted”. There is a (non essential) technical difficulty 
showed in the following example : Assume u — » Ax ui — » Aa; (x v) then 
{u r) (Ax u\ r) — >■ ui[x := r] — » (r v[x := r]) and the order is not ex- 

actly the same as {u r) — » (Ax ui r) — » (Ax (x v) r) —»■ (r v[x := r]). This is why 
we have to use big steps of head reduction. 

The second one is given by the proposition 2. 

Lemma 2. Let t, t’ be in yl', f be a Bohm function and a be f-accessihle in t. 
Assume t ~^f,a t'. Then, for some a’ < a, t^f^a adr{f,t, a') -^f t’. 

Proof. Immediate from the definition. 

Lemma 3. Let v, v’ be in A' and f be a Bohm function. Assume that x — »/ v' . 

1. Let a be a substitution. Then a(v) -^f cr(v'). 

2. Let be a sequence of terms and assume v’ does not begin with A. Then 
[v Y^) — »/ {v' Y^) 

Moreover in both cases the length of the f-reduction remains the same. 
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Proof. Note that the more general case, where v' begins with A, is treated in 
the lemma 5. The proof is by induction on the length of the reduction and case 
analysis. Use the fact that a{u[x := f]) = a{u)[x := 

Lemma 4. Let t be in A' and f be a Bohm function such that t is f-unsolvable. 

1. Let a be a substitution. Then a{t) is f-unsolvable. 

2. Let ~r^ be a sequence of terms. Then {t is f-unsolvable. Moreover {t 1^) 
has no reduct of the form X {ri tA) where r, is a descendent of an element 
ofrf 

Proof. 1. This follows immediately from the lemma 3. 

2. If t does not reduce to a term beginning with A this follows immediately 
from the lemma 3. Otherwise let = (ri ... r„) and t' be the least step 
where A appears. Then (by the lemma 3) {tl^ ) ^ f {t' ”^) = {Xx ti — »/ 
{cr{ti) T 2 ... r„) where o-{x) = ri. The result follows by the lemma 3 and by 
repeating, if necessary, the same argument. 

Corollary 2. Let t be in A, a be a branch oft, (dn) be a sequence of X terms, 
{kn) be a strictly increasing sequence of integers and (A^n) be a sequence of finite 
sequences of X terms. Assume that for every n > 0 

1. Res{t, a, kji) — A {dn rn^ 

2. dn+i is the descendent of an element of rX 

Then {dn) is a decoration for {t, a). 

Proof. The fact that dn is solvable follows immediately from the lemma 4. 

Lemma 5. Let v, r\, ..., rp be in A' , a be a substitution and f be a Bohm 
function. Assume that -»/ Xxi... Xxk {u t ). Then (a{v) r\ ... rp) 
Xxj+i... Xxk {o''{u) cr'{t] ... rp) where j = Min(k, p), a' = t o a and r is 
given by r{xi) = r, for 1 < i < j . 

Proof. By induction on k. The case fc = 0 is given by the lemma 3. Assume 
fc > 1. Look at the least step in the reduction v ^ f v' where v' begins with 
A, say v' = Xxi vi. Then, we have the following sequence of /-reductions 
: {a{v) ri ... rp) ( Axi a{vi) ri ... rp) -^f {ai{vi) r 2 ... rp) 

Xxj+i ... Xxk {o''{u) cr {t] Tj+i ... rp) where cti = t o a and t is given by : 
t{xi) = ri. The first — »/ is given by the lemma 3 and the last — »/ is given by 
the induction hypothesis. 

Lemma 6. Let t, u be in A' , g be a Bohm function and f = ip{g, u). Assume t 
= X {Rri ... rp) and V is the f -reduct of t. Then 

1. if R = x, then t[g, u] is in g-head normal form. 

2. if R = (Xx V w) or L , then the g-reduct of t[g, u] is t’[g, uj. 

3. if R = c{a, a) 
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— If f (a) = _L, then t[g, u] is not g-solvable. 

- If f (a) = ({xi, Xk}, X, q) then t[g, u] t’[g, u]. 

Proof. (1) and ( 2) are clear. (3.1) follows from the lemma 4 and (3.2) follows 
from the lemma 5. 



Lemma 7. Let t, u be in yl', g be a Bohm function, f = ip{g, u) and a be f- 
accessible in t. Assume t t’ = X {R and R = either x or {\x v w) or 

c(b,a) and f(b) ^ ±. Then, t[g, u] -^g^a t’[g, u]. Moreover, let d’ be a subterm 
of t’ that is a residue (resp a descendent) of a subterm d of t. Then d’[g, u] is a 
residue (resp a descendent) of the corresponding subterm d[g, u]. 

Proof. By indnction on the length of the reduction of t. For a = nil this follows 
from the lemma 6. If a = [i :: b], then t X {x ti ... tn). By the lemma 6, 
t[g,u] -^g X (x ti[g,u] ... tn[g,u]) ~^g,a ti[g,u] and the result follows easily by 
induction on the length of a. 



Proposition 1. Let t, u be in A' , g be a Bohm function and f = ip{g, u). Let a 
be in A. Then a is an f-branch in t iff a is a g-branch in t[g, u]. 

Proof. It follows immediately from the lemma 6 that t has an /-head normal form 
iff t[g, u] has a g-head normal form. Moreover if hnf{f, t, nil) = Xxi... Xxk (x ti... 
tp) then hnf(g,t[g,u], nil) = Xxi... Xxk {xti[g,u] ...tp[g,u]). The result follows 
easily. 



Definition 12. Let a, a' be substitutions, t = a Q) a' if for every variable x 

— if a{x) 7 ^ X then t{x) = cr(x) and a'{x) = x 

— if a'{x) X then t(x) = cr'{x) and a{x) = x 

— otherwise t(x) = x 

Definition 13. Let u be in A. Define, for a accessible in u, FV(u, a) by : 

— FV(u, nil) =0 

— FV(u, [a :: i]) = Fv(u, a) U {xi ... Xk} where hnf(u, a) = Xxi ... Xk {x T^) 

Lemma 8. 1. Let t = (<j{u) ~ff) be in A, t’ = (c(nil, a) ff'), b be accessible in 

t, f = if{u), t’ ~^f,b t” and c(a, t) be a subterm of t”. Then t = a ® a' for 
some a' whose domain is included in FV(u,a). Moreover, for every variable 
y in the domain of t, for every a’ > a and every x in FV(u, a’) - FV(u, a), 
X is not free in T{y). 

2. Similarly for t = D(a(u)) with r = cr © cr” © cr' where the domain of cr” is 
included in the set of variables captured by the context D. 

3. Moreover if c(a’, t') is a descendent of c(a, r) then t' = t ® y for some [x 
whose domain is included in FV(u, a’) - FV(u, a) 
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Proof. This comes immediately from the fact that we are doing head reduction 
(and of course the renaming rule to avoid capture). More precisely, this is proved 
by induction on the length of the reduction t' f^b t” by a simple case analysis. 

Lemma 9. Let t = (a{u) 1^) he in A, b be a branch in t and f = ip{u). Let t’ 
= (c(nil, cr) T^). 

1. Assume t’ ^f^b ^ {c{a,T) and u^a adr{u,a)^ Axi... Xxk {d it) ^ 

All... Xxk ... Xxk+k {d' and d’ is the descendent of an element of it. 
Then t -»h {fj.{d) fJ.{lt) Uf) -»h w') and fi'{d') = fj.{d') 

is a descendent of the corresponding element of p.(lt). 

2. Similarly assume that : 

~ t’^f,b A (c(a, r) -»/_b A {c{a' ,P) s ) for some a < a' and c{a' ,P) 
is a successor of c[a,T). 

— u -^a adr{u,a) ^ {d it) -^a adr{u,a') {d' ) and d’ is the 

descendent of an element of it. 

Then t ^b {pL{d) n{lt) lit) ^b t\{pL'{d') n?) and yi' {d') = fJ.{d') is 

a descendent of the corresponding element of fj,{lt). 

Proof. 1. By the lemma 8, t = a ® a\. By the lemma 7, 

t -^b {T{adr{u, a)) s[m]) and, by the lemma 5, {T{adr{u, a)) s[m]) -» 

^(/r(d) fJ,{lt) ut) ^{fj,'{d')fJ,'(u) u^) where pL = a' or (resp /r' = a” or) 
and the domain of a' (resp cr”) is included in {*1 ... Xk\ (resp {*1 ... Xk+k })• 
By the lemma 8, p = t © cr' and g! = t © cr” . Since d' is the descendent 
of an element of it the variables Xk+i ... Xk+k do not appear in d' and 
p(d') = p'(d'). ^ ^ 

2. Similarly X (fi{d) fi{lt) lit) -»b A (/r'(d') /r'(i7) w') where /r = T©fj', 
Ai' = /r © (r”and the domain of a” is included in FV{u,a') — FV{u,a). 
Since d' is the descendent of an element of it, d' has no free variables in 
FV{u, a') — FV{u, a) and thus p,'{d') = /r(d'). 

Proposition 2. Let t, u, v be in A, a (resp b, c) be a branch in t (resp in u, v). 

Assume that b is (t, a) useful and c is (u, b) useful. Then c is (t, a) useful. 

Proof. Let t = D{a{u)), u = E(r{v)). Let t' = D{c{nil,a)),u' = E{c{nil,T)). 
Let F = D[a{E)). Then t = F{a o t{v)). Let t” = F{c{nil,a o r)). I only 
prove t” -»g,a A (c(c ( j, t,) rj) for every j < lg{c), where g = ipW) . I should 
prove a bit more, namely that the corresponding c(c \ j, tj) are in the immediate 
successor relation (see the definition 10). This is rather tedious to write but this 
follows immediately from the proof. 

Let / = 't{u) and d = c ( j. Since c is (u, b) useful, u' ~^g,b X {c{d, t') 
T^). Thus, by the lemma 2, u' ~^g,b adr{g,u',b') -»g A {c{d,r') T^) for some 
b' < b. Since b is (t, a) useful, t' ^f,a {c{b' , a') ~t). Clearly t” = t'[g, u']. Thus, 
by the lemmas 7 and 5 , t” -»g,b {cr' [adr{u' ,b') ~s^) ~^g,b ^(c(d, r”) r ). 

Proposition 3. Let t = (cr{u) 1^) be in A and b be a branch in t. Let a be a 

branch in u that is (t, b) useful. Assume that Res(u, a, k) = X {u\ vt). Then, 
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— For some j and some t, Res(t, b, j) = A ('t(mi) T{vt) Ff). 

— Let c be a branch in ui that is (Res(u, a, k), Br(u, a, k)) useful. Then c is 
(Res(t, b, j), Br(t, b, j)) useful. 

Proof. By the lemma 2, u — »a adr{u,ai) vf) = u' . Let 

t' = {c{nil, a), T^) and / = '0 (m). Since a is {t, b) useful t' f,b A (c(ai, ai) ~s^). 
Thus t -»b A {ai{adr{u, oi)) -^b t(vi) Uf) = Res{t, b,j) = t”. Let 

a' = Br{u,a,k) and 6” = Br{t,b,j). Since a is {t,b) useful, it is clear that a' 
is useful and since c is {u',a') useful, by the proposition 2, c is (t”,6”) 

useful. 

4.2 The key results 

The propositions 5 and 6 give the key points mentioned in the section 2. Intu- 
itively the proposition 6 gives the next step of the decoration and the proposition 
7 is the technical result that allows to iterate the construction. 

Proposition 4. Let u be in A. Assume that u is unsolvable and (dk) is a deco- 
ration for (u, nil). 

1. Let a be a substitution. Then (a{dk)) is a decoration for (a{u),nil). 

2. Let t = (u . Then there is a sequence (ak) of substitutions such that 
((Jk[dk)) is a decoration for (t,nil). 

Proof. The first case is trivial since, by the lemma 3, if m — » u' then cr{u) — » a{u'). 
For the second case let p be the length of T^. If p = 0, this is trivial. Assume 
p > 1. If, for every k, Res{u, nil, k) does not begin with A the result follows from 
the lemma 3. Otherwise, let k be the least integer such that Res{u,nil,k) = 
\x u' . Since idk) is a decoration for {u,nil), let (fcn) be the sequence such that 
Res{u, nil, k„) = A {dn vX). 

Assume first that fco > k. Then (by the lemma 3) (mT^) -» (Ax u' A^) ^ 
[cr(u') T 2 .. rp) where cr(x) = r\. Repeating the same argument with (a{u') T 2 rp) 
yields the result. 

Assume that kg < k. Let ng be the largest integer such that < k. Then 
(by the lemma 3) for n < no Res{t,nil, kn) = {dn A^n A^). Res{t,nil, kn„) — » 
(Ax u' A^) (<x(u') T 2 ... rp) where cr{x) = ri. Since {dn)n>no is a decoration for 

{u', nil), {(j{dn))n>no is a decoration for {a{u'), nil). Since dng+i is a descendent 
of an element of Vng, x is not free in dno+i. Repeating the same argument with 
{{a{u') T 2 ... rp) ,nil) yields the result. 

Proposition 5. Let t, u be in A and b (resp a) be a branch in t (resp u). Assume 
a is (t, b) useful and let (dk) be a decoration for (u, a). Then there is a sequence 
(cfc) of substitutions such that {crk{dk)) is a decoration for (t, b). 

Proof. - If a is infinite, the sequence (ufe) is easily constructed by using the 
lemma 9. 

- If a is finite the sequence (cTfc) is easily constructed by using the lemma 9 
for the finite part of the branch and the proposition 4 for its last node. 
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Proposition 6. Let t = (u r\ ... rn) be a X term and a be a branch in t. Assume 
there is no branch neither in u nor in any ri that is (t, a) useful. Then there is 
< i, k, ui, V > such that, letting t! = Res(t, a, k) and a' = Br(t, a, k) : 

— if = ^ {v{u{) it) for some it, 

— ui = (ri Si ... Sm) and v{ri) = r, is a descendent of its occurrence in t. 

— For 1 < j < m, Sj has no branch that is (1! , a') useful 

— ui has a branch that is (if, a') useful. 

Comments The intuition of the proof is the following : Since there is no 
useful branch in u the set of useful nodes in BT{u) is (by Konig’s lemma) finite. 
Assume, for example, that t = {XxXy (x si S 2 ) ri r 2 ). Then t (ri s'l s' 2 ). If 
there is no useful branch neither in s'l nor in s '2 we are done. Otherwise there 
is such a useful branch in, say, s'l. Thus t ^ X (si it) for some it. By the 
lemmas of the section 4.1 it is mainly enough to prove the result for s'l. But 
t' = {XxXy Si ri r 2 ) s( and the cardinality of the set of useful nodes of t' is 
smaller than the one of t. We get the result by repeating the previous argument. 

Before giving the proof I give an example of the difficult case (the case 2.b 
in the proof). This is the example 4.3.6 in [1]. Let w = Xxyz [y (x (z x))), 
R = Xz (z I w) and t = {w R I w). t is unsolvable. w, R, I are normal and so 
they do not have a branch that is (t, nil) useful, t ^ {I {R {w R))) {R {w R)). 
We cannot choose the step (/ {R {w R))) and the argument I as the first element 
of the decoration for t since the unsolvability is already created (and ” used” ) in 
{R {w R)). We will choose the next step {R {w R)) and the argument R because, 
at this step, the unsolvability is not yet created since R and {w R) are solvable. 
Thus, here, the solution is : fc = 4, 1x1 = (i? {w R)), i = l,v = Id and it is 
empty. 

Proof. Let E = {b / b is a.n address accessible in u, that is {t, a) useful}. Note 
that for b in E, hnf{u, 6) 7^ T because otherwise b would be a branch in u that 
is {t, a) useful. 

I define a procedure to construct the desired < i,k,u\,v > and a branch in u. 
This procedure halts (and I thus get the result) because otherwise this means we 
always are in the case (1) below and this procedure has constructed an infinite 
branch in u that is {t, a) useful and this is a contradiction. Note that I cannot 
use the fact that E is finite (and prove the result by induction on the cardinality 
of E). Intuitively this is actually the argument used but we cannot formalize it 
in this way. If E is infinite, by Konig’s lemma, there is an infinite branch b such 
that for every i, b \ i € E but (see the example after the definition 10) this does 
not imply that b is {t, a) useful. 

nil clearly is in E. Let hnf{u, nil) = Axi ... Xk (x wi ... Wp), jo = Min(k, n) 
and (7 is given by cr(ij) = r^ for j < jq. It is clear that jo > 1 because otherwise 
t reduces to X (x it T^) and then u or some ri would have a branch that is 
{t, a) useful. 

1) Assume first that x ^ {xi ... xj,}. Then t Xxj„+i ... Xk (x cr(wi) ... cr(wp) 
rjg+i ... rn) and thus a t "ail • Let a = [i v. V\. li i > p, there is a branch in r. 
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that is {t, a) useful and this contradicts the hypothesis. Thus i < p. Let u' = 
Xxi ... Xjg Wi- Then t -^a (^{wi) and {u' ri ... r„) ^ a{wi). The first node of 
the branch constructed by the procedure is i. Repeat the procedure (to get the 
other nodes) with [u' r\ ... rn). 

2) Assume that x = Xi. Then t —» Axjo+i .. Xk (r, ( t ( wi ) .. (j(wp) r„). 

a) Assume first that for 1 < 9 < p, cr{wq) has no branch that is (t, a) 
useful. Then < i, jo,ui, Id > where ui = (r, cr(wi) ... o-{wp) rjg ... r„) clearly 
satisfies the conclusion of the proposition. 

b) Assume that, for some 1 < q < p, <x{wq) has a branch that is {t, a) useful. 



There is b in E and j < jo such that hnf{u,b) = X {xj si ... si) and 
a{hnf{u,b)) has a branch that is (t,a) useful but no a{sm) has such a branch. 
Proof 

Note that adr{u, [q]) = Wq. By the hypothesis, [g] is in E. Let hnf{u, [q]) = 
A {y Si ... si). li y = xj and no cr(sm) has a branch that is (t, a) useful, b = [g] 
satisfies the conclusion of the claim. Otherwise some cr(sm) has a branch that 
is (t,a) useful. {Proof : li y = xj this is clear. If y ^ {xi ... Xk}, a{hnf{u, 
[ 9 ]))= ^ {y '^(si) ... (t(s/)) and this is again clear since a branch in (r(hn/(M, [g])) 
is a branch in some cr(sm))- We may repeat the argument with b = [q w m\. If 
the claim fails we get in this way an infinite branch in u that is {t, a) useful. 
(Q.E.D. of the claim) 

Let (6, j) be given by the claim. Let t' = {c{nil, Id) ri ... rn) and / = ipiu). t' 
~^f,a X (c(6, t) vf) for some t = a (B cr' and thus t -^a X {T{adr{u,b)) lif). By 
the lemmas 5 and 8, there is a substitution t' such that ~^{T{adr{u,b)) Uf) — » 
{p{xj) y{~^) T^) = Res{t, a, k) where p = r © r' = ct © u' © r' . Then, 
< j,k,ui, a' (B t' > satisfies the conclusion of the proposition, where ui = 



Proposition 7. Let (d„)„>o (resp. {uX)n>o, {v^)n>i, resp. (an)n>o, resp. 
(o'n)n>i) be a sequence of X terms (resp. be sequences of finite sequences of X 
terms, resp. be a sequence of elements of A, resp. be a sequence of substitution). 
Assume that for every n > 0 

— tn = (dn ut) and a„ is a branch in 

— For some kn, Res('t„, a„, fc„) = A„ ((T„+i(t„+i) lf„+i) and On+i is (Res(tn, 

On,kn), Br(tn, On, kn)) UScful. 

— dn +1 is the descendent of an element of the sequence uf, 

— CTn+l{dn+l) = dn+1- 

Then, there is an increasing sequence (xn) of substitutions such that the 
sequence (Tn{dn)) is a decoration for {to, uq). 

Proof. I construct (by induction on n) a sequence < jn,Tn,bn,Tn > such that 
: To = to, jo = 0, To = Id, bo = ao and, for «,>!,+„ = Res{ro,bo, jn) = 
X {Tn{tn) wt),bn = Br{ro, bo, jn) , Tn{dn) = Tn-i{dn) and On is {rn,bn) useful. 
It is clear that the sequence (r„) satisfies the conclusion. 
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tn A„ (cr„+i(t„+i) Vn+D- Smce an is (r„,6„) useful and by the propo- 



Tn+i = TnO cTn+i © Mn the domain of fin is included in the variables in 
Since d^+i is the descendent of an element of ut., dn+i is not affected by fin ■ 
Since, by the hypothesis, an+i(dn+i) = dn+i, we have T„+i(d„+i) = T„(d„+i). 
Finally, again by the proposition 3, Un+i is {rn+i, bn+i) useful. 

4.3 End of the proof of the theorem 

Let t be a A term and a be branch in t. The existence of a decoration is proved 
by induction on the complexity of t. 

— If t = Xx u OT t = (xT^) the result follows immediately from the induction 
hypothesis. 

— lit = {u ri... r„) and there is, either in u or in some r,, a branch that is (t, a) 
useful. For example, say b is such a branch in u. By the induction hypothesis 
there is a decoration of (u, b) and by the proposition 5 there is a decoration 
for (t, a). 

— Otherwise t = {u ri... r„) and there is no branch neither in u nor in any r, 
that is (t, a) useful. Let qq = a,do = u, = ri ... r„,to = {do and 
be the empty sequence. By the proposition 6 there is < i,ko,ti,a > such 
that, letting t' = Res{to, gq, ko) and a' = Br{to, qq, ko) : 

• t' = ^ {(j{ti) vt), ti = {ri Si ... Sm),o'{ri) = r, for some terms 
Si ... Sm u? and some substitution a. 

• For 1 < j < rn, sj has no branch that is {t' , a') useful 

• ti has a branch ai that is {t' , a') useful. 

Let di = ri and ut = si ... Sm- No Sj has a branch that is (ti,ai) useful 
since, otherwise, by the proposition 2 such a branch would be {t\ a') useful. We 
may again use the proposition 6 with ti and the branch oi. By repeating the 
same argument we get sequences satisfying the hypothesis of the proposition 7 
and thus a decoration for t. 
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Abstract. We study extensional models of the untyped lambda calculus 
in the setting of game semantics. In particular, we show that, somewhat 
unexpectedly and contrary to what happens in ordinary categories of 
domains, all reflexive objects in the category of games Q, introduced by 
Abramsky, Jagadeesan and Malacaria, induce the same A-theory. This 
is 'H* , the maximal theory induced already by the classical CPO model 
Doo, introduced by Scott in 1969. This results indicates that the current 
notion of game carries a very specific bias towards head reduction. 



Introduction 

A-theories are congruences over A-terms, which extend pure /3-conversion. Their 
interest lies in the fact that they correspond to the possible operational {obser- 
vational) semantics of A-calculus. Although researchers have mainly focused on 
only three such operational semantics, namely those given by head reduction, 
head lazy reduction or call- by- value reduction, the class of A-theories is, in effect, 
unfathomly rich, see e.g. [6,12,11,7] for interesting examples of this complexity. 
Brute force, purely syntactical techniques are usually extremely difficult to use 
in the study of A-theories. Therefore, since the seminal work of Dana Scott on 
Doc in 1969 [16], semantical tools have been extensively investigated. 

A large number of mathematical models for A-calculus, arising from syntax- 
free constructions, have been introduced, since then, in various categories of 
domains (see e.g. [17,8,6,10,12,5,7]). And a rich host of different A-theories now 
have a “fully abstract” syntax- free model, i.e. a model which induces precisely 
those identities which hold in the given theory. However, the denotational se- 
mantics supported by these models do not match all the possible operational 
semantics of A-calculus. 

For example, in most existing categories of domains, A-models have too many 
functions, and hence many interesting A-theories, such as those arising from 
observing termination under some natural sequential reduction strategies (see 
e.g. [11]), do not have fully abstract models [12,5]. An example of such a strategy 
is the one which tries to reduce a term to a closed term. In the case of GPOs, the 
sequentiality embedded in these strategies clashes with the existence of Scott- 
continuous “parallel” functions. While, in the case of coherent spaces, and stable 
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functions, the presence of so called “parasitic” functions, prevents other kinds 
of identities deriving from monotonicity. 

In this paper we explore the methodology for giving denotational seman- 
tics based on games, recently introduced by Abramsky, Jagadeesan, Malacaria, 
and Hyland, Ong (see [3,14]). This methodology has been extremely success- 
ful in modeling sequential languages [3,15]. It should be reasonable to expect, 
therefore, that one could obtain fully abstract game models, at least for those 
A-theories mentioned above, which escape domain models. Of course, the very 
fact that game semantics faithfully captures sequentiality, should suggest also 
that even game semantics is not rich enough to provide fully abstract models for 
all A-theories. It is possible to show, in fact, that there are A-theories where, say, 
the behavior of an nnsolvable term, i. e. a term with no head normal form, is that 
of a “parallel function” , which checks if at least one of its argnments evaluates 
to a fixed term. 

Somewhat surprisingly, however, it turns out that all reflexive objects, i.e. 
extensional A- models, in the standard category of games of [3], determine A- 
models which have the same theory. This is the well known maximal A-theory 
T-l* [6], already induced by Scott’s We recall that, if M,N are closed A- 
terms {i.e. M, N € A°), and HNF denotes the set of A-terms which have a head 
normal form, then M =-h* N if and only if 

VC[ ] . C[M],C[N] e {C[M] e HNF C[N] e HNF) 

Alternatively, this is the theory where two terms are equal if we cannot observe 
that head reduction terminates when one is placed in a given context, bnt does 
not terminate when the other is. 

More specifically, in this paper we show that all reflexive objects in the Carte- 
sian closed category of games K\{Q) [3] determine A-models which are isomorphic 
to models which can be constructed as special non-initial colimits in a category 

of games and “embeddings”, which mimics the traditional Scott’s construc- 
tion in CPOs and embedding-projection pairs. By extending the methodology of 
approximants originally introduced in [18,13,12] for the continuous case, to the 
setting of the game semantics, we study the fine strncture of these models. 

The paper [9] is a companion to the present one. Finitary logical descriptions 
of game models, in the spirit of [8,1], are introduced. The case of one of the 
models introduced in this paper is discussed in detail. 

One can elaborate in various ways on the main result of this paper. In any 
case, we think that it shows that existing game semantics is more rigid than CPO 
semantics, which can model a very rich collection of A-theories. Since the current 
notion of game appears to carry a very strong bias towards head reduction, a 
new notion of game seems to be necessary to model A-theories different from H* . 

The present paper is organized as follows. In section 1, we introduce the 
categories of games that we shall utilize, namely Q and K\{Q). In Section 2 we 
discuss initial and non-initial solutions of recursive game equations. In Section 
3 we introduce the special class of extensional A-models T>* , and we prove that 
all reflexive objects in Kt{Q) determine models belonging to T>*. In Section 4 we 
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study the fine structure of the models in T>* and prove that such models induce 
the theory T-l* . In Section 5 we give some concrete examples of extensional game 
A-models, including the model arising from applying Scott’s trick [17] to the 
game setting. Final remarks and directions for future work appear in section 6. 

We assume the reader familiar with the basic notions and definitions of 
A-calculus, see e.g. [6]. For the benefit of a reader coming from the A-calculus 
community, this paper is self-contained as far as the theory of games, however 
the reader can refer to [2,3,4,14] for more details on this topic. 

The authors are grateful to Fabio Alessi, Samson Abramsky, and Marina 
Lenisa for useful discussions. 

1 Categories of games 

In this section, we introduce two categories of games. Both are introduced by 
Abramsky, Jadgadeesan and Malacaria in 1993 [3]. Notice however that for our 
purposes the machinery of “questions and answers” i. e. the bracketing condition, 
seems unnecessary. One can safely, and more simply, focus only on the full and 
faithful sub-category of this category consisting of all those games all whose 
moves are labeled as questions. 

We begin by giving the basic definitions. 

Definition 1 (Games). A game has two participants: the Player and the Op- 
ponent. A game A is a quadruple [Ma,\a,Pa,~a) where: 

— Ma is the set of moves of the game. 

— Xa '■ Ma {O, P} X {Q, A} is the labeling function: it tells us if a move is 
taken by the Opponent or by the Player, and if it is a Question or an Answer. 
We can decompose A^ into A^^ : Ma -a {O, P} and X^^ : Ma -a- {Q, A} 
and put Ay 4 = (A^^, A^"^). We denote by ~ the function which exchanges 
Player and Opponent, i.e. O = P and P = O. We also denote with A^^ 
the function defined by A^^(a) = A®^(a). Finally, we denote with A^ the 
function {X^^,X^^). 

— Pa is a non-empty and prefix-closed subset of the set M® (which will be 

written as Pa M® ), where M® is the set of all sequences of moves 

which satisfy the following conditions: 

- s = at ^ XA{a) = OQ 

-{y^■.l<^<\s\)[Xr{si+l)=Wi^] 

-{\/tOs)[\t\M^\<\t\M2\] 

where M^ and M^ denote the subsets of game moves labeled respectively 
as Answers and as Questions, s \ M denotes the set of moves of M which 
appear in s and Q is the substring relation. Pa is called the set o/ positions 
of the game A. 

— is an equivalence relation on Pa which satisfies the following properties: 

- S KiA s' ^ [s] = ]s'l 

- sa s' a' => s s' 

- s s' A sa € Pa => (3a') [so s'a'] 
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In the above s, s' , t and t' range over sequences of moves, while a, a! , b and 
b' range over moves. The empty sequence is written e. 

Definition 2 (Strategies). 

A strategy for the Player in a game A is a non-empty set a C of posi- 

tions of even length such that = cr U dom{a) is prefix-closed, where dom{a) = 
{t G I (3a)[ta G cr]}, and and denote the sets of positions of 

odd and even length respectively. 

In this paper we shall consider only history-free strategies, i.e. strategies 
which depend only on the last move by the Opponent. 

Definition 3 (History-free strategies). 

A strategy a for a game A is history-free if it satisfies the following properties: 

- sab, tac € a ^ b = c 

- sab, t G a,ta G Pa => tab G a. 

Definition 4. Let a, r be strategies for a game A, we write a t if and 
only if: 

- sab G a, s'a'b' G t, sa k,a s' a' sab s'a'b' 

- s G cr, s' G T, sa s' a' (36)[sa6 G cr] iff {3b')[s'a'b' G t]. 

The above relation on strategies is not an equivalence relation since it might 
lack reflexivity. If cr is a strategy for a game A such that a Ki a, we write a : A. 

Definition 5 (Tensor product). 

Given games A and B the tensor product A^B is the game defined as follows: 

— Ma^b = Ma + Mb 

— ^A0B = [Aa, A_b] 

~ Pa 0 B Q M®^q is the set of positions, s, which satisfy the following: 

i ) the projections on each component ( written as s \ A or s \ B) are posi- 
tions for the games A and B respectively; 

ii) every answer in s must be in the same component game as the corre- 
sponding question. 

— S s' <;=> s f ^ s' f A, s f B s' \ B, (Vi)[si G Ma s' G Ma] 

Here + denotes disjoint union of sets, that is A B = {m/(a) | a G A} U 
{inr{b) I b G B}, and ] is the usual (unique) decomposition of a function 
defined on disjoint unions. 



Definition 6 (Unit). The unit element for the tensor product is given by the 
empty game I = (0, 0, {e}, {(e, e)}). 

Definition 7 (Linear implication). Given games A and B the compound 
game A ^ B is defined as follows: 
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— Ma^b = Ma + Mb 

— Xa^b = [Aa, A_b] 

~ Pa^b C is the set of positions, s, which satisfy: 

i) the projections on each component are positions for the games A and B 
respectively; 

ii) every answer in s must be in the same component game as the corre- 
sponding question. 

— s ^A^B s' s f A s' I" s I" i? s' f i?, (Vi)[s, e Ma s' £ Ma] 

It is easy to see that in the “tensor game” only the Opponent can switch 
component, while in the “linear implication game” only the Player can switch. 

Definition 8 (Exponential). Given a game A the game I A is defined by: 

— M\a = u! X Ma = 

— X\A{{i,a)) = \A{a) 

— P\A ^ M,® is the set of positions, s, which satisfy the following conditions: 

i) (Vi £ w)[s \ Ai G Pa,]; 

ii) every answer in s is in the same index as the corresponding question. 

— s «!A s' 3 a permutation of indexes a £ S{uj) such that: 

- 7tI{s) = a*(7T^(s')) 

- (Vi £ uj)[tt^(s \ a(i)) « 7t2(s f i)j 

where tti and 7T2 are the projections of uj x Ma and s \ i is an abbreviation 
of s \ Ai. 

One can easily see that the following definition is well posed and that the 
objects introduced in Definitions 5, 6 provide indeed a categorical tensor product 
and its unit. 

Definition 9 (The category of games Q). 

The category Q has as objects games and as morphisms, between games A 
and B, the equivalence classes, for the relation k^a^b, of history-free strategies 
a : A ^ B. We denote the equivalence class of a by [crj. 

The identity for each game A is given by the ( equivalence class ) of the copy- 
cat strategy idA = {s £ Pa'^a" | s |" A' = s |" A"} where the superscripts are 
introduced to distinguish between the two different occurrences of the game A. 

Composition is given by the extension on equivalence classes of the following 
composition of strategies. Given strategies a : A —o B and t : B —o C , t o a \ 
A^ C is defined by 

Toa = {s r (A,C) I s £ (Ma + Mb+Mc)* A s \ (A,B) GW,s \ (B,C) £ 

Throughout this paper, without loss of generality, we shall restrict ourselves 
to “irredundant” games, i.e. to games such that every move appears in at least 
one position. Any redundant game is in fact categorically isomorphic to an irre- 
dundant one. 

One can easily see that the constructions introduced in Definitions 5, 7 and 8 
can be made to be functorial. Thus the category 5 is a monoidal closed category 
[3] , which however is not Cartesian closed. 
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Definition 10 (A Cartesian closed category of games). The category 
K\{Q) is the category obtained by taking the co-Kleisli category over Q over the 
co-monad (!,der, (5) [3], where for each game A the strategies der^ : lA —o A 
and Sa '■ lA ^ UA are defined as follows: 

- der^ = [{s e P\A^A I s f (!^)o = s f A}] 

- 5a = [{s e P\A^ !!A I s I" (!A)p(jj) = s \ (!(!A)i)j}] 
where p:NxN— is a pairing function. 

The category K\{Q) has as objects games and as morphisms between games 
A and B the equivalence classes of history-free strategies for the game !A ^ B. 
Moreover it is Cartesian closed. 

Definition 11 (Cartesian product). 

Given games A and B the Cartesian product A&zB is the game defined as 
follows: 

- Ma^b = Ma + Mb 

- 5^AhB = [Aa, A_b] 

- PAhB = Pa A Pb 

- ^AiiB= + ~B- 

1.1 Order-enrichment 

Following [3] we can enrich each homset of G with a partial order structure: 
Definition 12. Given a game A, and strategies a : A and t : A we write cr A t 

iff 

fis, s' ,a,b,a')[sab € a A s' € t A sa ^ s'a' 3b' .{s'a'b' € t A sab s'a'b')], 
and we define [a] Qa [t] <;=> cr < t. 

Given a game A let A be the set of equivalence classes of history- free strategies 
for A. Oa is a partial order over A, whose least element is [{e}]. Notice that 

a~e(/,2i). 

We now prove that this partial order is not complete. This answers a question 
raised in [3] page 21. 

Definition 13 (Game 01). The game 01 is defined as follows: 

- Mtyi = {q , !} U {n, n \ n G N} 

■ = Atn(n) = OQ and A<yi(!) = A<n(n) = PQ 

- P<n = {qn{n — l)(n — l)(n — 2) . . .OOqlqlql ... | n G 

- S Wtyt 1 |s| = |t|. 

Theorem 1. (01, Cru) is not a complete partial order. 

Proof. Consider the following strategies indexed by n> 1; 
an = {qn{fT^){n - l)(n^) . . . l}"epre/_ 

It is easy to check that an < am for n <m. The chain [cto]; [o'!]; • • • ! [^’n], ■ ■ ■ has 
no lub, since there is no infinite history-free strategy in □ 

Corollary 1. The categories Q and K\[G) are not cpo-enriched categories under 
the order relation on morphisms of Definition 12. 
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2 Solution of recursive games equations 

The categories of games Q and K\{Q) allow for the existence of recursive objects, 
i.e. objects that are fixed points of particular functors. In this section we ana- 
lyze and elaborate the method proposed by Abramsky and McCusker in [4] , for 
defining recursive games. In a well-founded setting, this method allows to de- 
fine only initial fixed points of functors. However in order to model non-trivially 
A/3?7-calculus, it is well known that we need to define models which arise from 
non-initial fixed points. To this end we have to change the functor altogether 
and use some form of encoding or, equivalently, generalize the method of [4] and 
consider games “up to” isomorphisms, or consider non-well-founded sets. In this 
section we shall explore the first two alternatives. 



2.1 Initial fixed points 

We start by discussing briefly the method of Abramsky and McCusker [4] in a 
well-founded setting. This method follows the pattern used for building initial 
fixed points in the context of information systems. First a complete partial order 
< on games is introduced. 

Definition 14. Let A,B be games, A is a sub-game of B (A< B) iff 

- Ma C Mb; 

- Xa = Xb \ Ma; 

-PA = PBn M®; 

- s s' iff s ^B s' and s € Pa ■ 

One can easily see that the sub-game relation defines a complete partial 
order on games. Hence a functor F which is continuous with respect to < has a 
(minimal) fixed point D = F{D) given by [J^ F'^{I). Notice that we have indeed 
an identity between D and F{D). 

In domain theory, non-initial fixed points for a functor F are usually obtained 
by carrying out the above construction starting from some object A, different 
from the initial one (i.e. I in this case), such that A < F{A). However one can 
prove that for functors F obtained from constant functors by composition of the 
basic functors &, (8>, — ( )±, and !, and for every game A, whose moves are 
well-founded sets, if A < F{A) then 3n G N s.t. A < F'"{I). Hence only initial 
fixed points can be obtained using this technique in well-founded Set Theory. 

As remarked earlier, even if no non-trivial model of A/3?7-calculus can be 
obtained applying this technique directly to the functor ID —o D, nevertheless 
using Scott’s trick (see [17]) we can still define models of XPr], What we need is a 
non-trivial game which satisfies the equivalence D ~ DSzD. To see this consider 
the initial fixed point, E, of the functor F{X) = A — > D in a general Cartesian 
closed category. This is clearly non trivial. One can easily see that the following 
chain of equivalences holds E = E ^ D = {E ^ D) ^ D {E ^ {D x D)) ^ 
D cx {{E ^ D) X {E ^ D)) ^ D = {{E ^ D) X E) ^ D cx {E ^ D) ^ {E ^ 
D) = E E. We shall present this model in Section 5. 
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2.2 Non-initial fixed points 

In order to obtain a non-initial fixed point of a functor, without having to 
deal with the subtleties of non-well-founded sets, or with indirect encodings, 
we present a generalization of the method proposed in [4] , “up to isomorphism” . 

The basic idea is to obtain a fixed point of a functor T as a limit of a chain 
of approximations Dq, D 2 , ■ ■ ■ where, not necessarily < Dn+i, but only 
a weaker relation between Dn and Dn+i holds. We simply ask that each is 
isomorphic to a sub-game B of Dn+i- In order to formalize our construction we 
need to introduce a new category A similar category was introduced also in 
[2] for other purposes. 

Definition 15. Given games A and B an embedding f : A ^ B is a total 
injective function f : Ma Mb such that: 

- Aa = Ab o / 

- f* (Pa) =PBn if* {M a))® 

- S s' iff f*{s) «B f*{s') 

In the above we have used the notation /* to denote the natural extension 
of / both to sequences and sets of sequences. 

Definition 16. The category of games has as objects games and as mor- 
phisms embeddings. 

Proposition 1. The category is oj- cocomplete. 

Proof. Given an uj-chain {Dn, fn) with /„ : >-^ Dn+i its colimit is {D^o, Hn) 

where Dec is the game: 

- = (Uneoj ^Dn)/=! where = is the least equivalence relation such that 

Vn £ N Va G Mb £ Dn+i. fn{a) =b => a = b. 

- AB„„([a]=) = AB„(a) if a £ 

- ^I3oo = Uneo;{[«l] = N= • • ■ K]= I ai02 . . . Op £ PdJ 

(0102 . ..ap,a[a '2 . . .a0 £ w_d„}- 

The colimit functions fj.n '■ Dn ^ D^c are defined by fin{a) = [a] = . □ 

Each embedding f : A ^ B in induces two morphisms f®:A—oB and 
f^:B^AinQ defined as follows. 

Definition 17. Given an embedding f : A ^ B, put: 

/+ = {t £ Pa^b lies/} 

/- = {i' e Pb-oA I t' £ s/j 
where Sf is the least set satisfying: 

Sf = {t a f{a) I t £ s/, a £ Ma} U {f f{a) a | £ s/, a £ Ma} U {e}. 

One can easily see that {g o /)+ = o /+ and {g o /)_ = /_ o g_. The 
category is indeed isomorphic to a sub-category of Q and to a sub-category 
of G°^ ■ Now, using the well-known machinery, we can obtain fixed points of any 
continuous functor F in Q^. 
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Theorem 2 . Given a game D and an embedding f : D ^ F(D), let 
(Hoc, Mn)neaj be the colimit of the chain ((F)”(£)), (F)”(/))„g(^ . Then, the game 
Doo is the fixed point of the functor F . The isomorphic embeddings : Uqo ^ 
F{Dcc) and tp : F{Dcc) ^ are given by ip = Uneoj ° 

^ = UnGo; Pn o FilJ'n) where the lubs are taken in the category o/ partial 
embeddings. 

Proposition 2 . Given a game D and an embedding f : D ^ F{D) let 
{D oo ^ Pri) Ti^u) be the fixed point of the functor F . For each n ^ let Pn • -lHoo 
Doo = {h-n)^ o {Tti)-- Then for each game A and for each strategy a : A ^ D^c , 
we have that Pn o a = {s | s £ (cr PI U j?v(Mn(-MF"(_D))))®)}- 

moreover for each n G N; 

“ Pn [= Pn+1 

-Uneu:Pn=id 
~ Pn ^ Pm — Pmin{m,n}' 

Using the above machinery, given an endofunctor F in Q (either variant or 
covariant), one can obtain a fixed point of F provided there exists a covariant 
continnons fnnctor F^ in Q^, which coincides with F on objects. 

One can easily see that this is the case for constant fnnctors, the functors &, 
(8>, — !, ( )_L and their compositions. 

3 Extensional A-models in K\{Q) 

As it is well known, a model for A,d? 7 -calculus is a pair D = {D, /), where D is an 
extensional reflexive object in a Cartesian closed category, i.e. an object D such 
that D isomorphic to D ^ D, and f : D -i- [D ^ D] is &n isomorphism. Two 
models D = {D, /), = {D\ f) are isomorphic if there exists an isomorphism 

g •. D ^ D' such that f o g = [g~^ g] ° f ■ This implies that the two 
“applicative structures” are the same, i. e. for each a,r : A ^ D we have that 
g o ev o {f o a,r) = ev o {f o {g o (j),g or). 

In this section, using the techniques outlined in Section 2, we define a sub- 
class, T>* , of extensional models in K\{Q), and prove the crucial result, namely, 
that each extensional model in K\{Q) is isomorphic to a model in T>* . In Section 

4 we will prove that all models in V* induce the A-theory H* . 

The endofunctor Fun on the category t/® is defined by putting: 

- Fun{D) = [D ^ D]= {ID D) 

- Fun{f) = [!/, /], for / : A ^ B, where lf{{i,a)) = {i,f{a)). 

One can easily see that Fun is continuous. 

Definition 18. Let T>* be the class of X-models D = (D, f) where D is the limit 
of a chain generated by iterating the functor Fun on an initial game Dq, using 
an initial embedding f* : Dq ^ Fun{Do), such that for each m £ f*{m) = 

inr{m') for some m' £ Mjq^. And where the isomorphism f : D ^ Fun{D) in 
K\{Q) is o deru, where p is the isomorphic embedding given by the colimit 
construction. 

Isomorphisms in K\{Q) can be reduced to isomorphisms in 5®: 
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Proposition 3. For each isomorphism a : A ^ B in K\[Q), there exists an iso- 
morphic strategy a' : A —o B such that a = a' o der^. And, for each isomorphic 
strategy a \ A —o B, there exists an isomorphic embedding f„\A^B such that 
o- = (/a)+- 

Proof. The proof of the first part is straightforward. In order to show the second 
part, recall from [3] that an history-free strategy a : A ^ B can be described as 
a map g„ from Opponent’s moves to Player’s moves in the game A —o B. If a 
is an isomorphism, with inverse a~^ then go- maps each Player’s move of A in 
a Player’s move of B, and each Opponent’s move in B to a Opponent’s move 
in A. In fact, suppose by contradiction, that an Opponent’s move b G Mb is 
such that gaib) = b' is a Player’s move in B, then ga-^oaip) = b' and therefore 
a~^ o a is not the copy-cat strategy. By a similar argument one can prove that 
g„ and g^-i are one the inverse of the other. The function fa- is then defined by 



fa {a) 



9a{a) ifX^^{a) = 0 

9a~^{a) ifX^^{a)=P 



By an analysis similar to the one above, and using the bracketing condition it is 
possible to prove that fa preserves the labeling and that f*{PA) = Pb- n 

In order to establish the main result of this section, we need a new dehnition, 
and prove a technical lemma. 



Definition 19. Given a game A and a move a £ Ma, the rank of a, r{a), is 
the smallest integer n such that there exists a sequence of moves ai, ... ,Qn such 
that fli, . . . , On, a £ Pa. 



Lemma 1. For each game A, for each embedding f : A ^ Fun{A) and for each 
move a £ Ma, if f (a) = ini{{n,a')) then r{a') < r{a); if f {a) = inr{a') then 
r{a') < r{a). 

Proof. Let Sa be a minimal position with end point a. The projection of f*{sa) 
on the left component must still be a position in P\a- Its length is strictly smaller 
than that of Sq , since the initial move of Sa has to be mapped onto a move on 
the right component. □ 



Theorem 3. Each extensional model in K\{Q) is isomorphic to a model in T>* . 

Proof. Let {D, a) be an extensional model in Kt(Q). Then, by Proposition 3 there 
exists an isomorphic embedding f : D ^ Fun(D), such that a = f~^ o der^. Let 
Mjoq be the largest subset of Mb such that Vd £ Mbq 3 d ' £ Mbq such that 
f{d) = iurid'). Alternatively, with a slight abuse of notation, we can define 
Mdo = {d £ D I Vn £ N . {inr~^ ° fY{d) is defined}. 

It is immediate to verify that the quadruple Dq = {Mbo,Xb \ Mbo,Pd H 
AIbq^^d L\{Mbo X Mbo) ) is indeed a sub-game of D. By the construction of 
Dq, it follows that /o = f\^^ is an embedding from Dq to Fun{Do). 
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Let D* be the limit of the tu-chain {Fun^{Do), Fun^{fo))neti> o.'^d let f* : 
D* ^ Fun{D*) be the isomorphic embedding induced by the limit construction. 
We will prove that there exists an isomorphic embedding f : D* ^ D such that 
fof' = Fun{f')of*. 

The isomorphism f is defined as follows: given d S Fun^{Do) f'{[d]=) = 
fonW, where /o,n : D ^ Fun'^^D) is the isomorphism Fun^~^ {f)o . . ,oFun{f)o 
f. Since, for each n S N, Mpun’'(Do) — ^Fun"{D)’ f ® defined function 
from Mjjt to Mjj . Moreover it is not difficult to verify that f is an embedding. 

We need to prove that f is surjective. This can be done by induction on the 
rank of the moves in D. Formally, we will prove that for each move d £ Mjj 
there exists a move d' in Mjj* such that d = f'{d'). 

— Basic step. This follows from the fact that all initial moves (i.e. moves of 
rank 0) are in Mn^. 

— Induction step. Let d £ Mu be a move of rank n + 1, two possible cases 
arise. Either d £ Dq, and therefore d = f'{[d]=), or there exist p,i G N 
and d' £ Mu such that Vm < p, {inr~^ ° f)'^{d) is defined and f{{inr~^ ° 
fY{d)) = ini{{i,d')). By Lemma 1 the rank of d' is less than n+1 and, 
hence, by induction hypothesis, there exists fc £ N and d" £ Fun^{Do) such 
that d' = f'{[d''\=). Let d'" = iur^ o ini{{i,d”)) £ Fun^^^{Df), it is not 
difficult to verify that d = f'{[d''']=). 

Moreover, it is straightforward to verify that f o f = Fun{f) o f* , and from the 
fact that: [(/"'" o (/+ o der/j)] = Fun{f)^ o deru->-u, the theorem 

follows straightforwardly. □ 

4 The fine structure of models in 

In order to analyze the eqnational theories induced by the models in T>* , we 
establish an Approximation Theorem, in the style of [18,12]. Using this result we 
will be able to characterize the meaning of a term in the model as the lub of the 
set of the meanings of the syntactical approximants of the term. 

To our knowledge this is the first time such a theorem is proved for models 
in “non-concrete” categories such as game models. 

As usual it is convenient to consider A{f2), an extension of A-calculus with a 
constant to denote divergence, and its indexed version 4(1?)^. 

Definition 20. 1. The set of \Q-terms, yl(l7)(9 M) is defined from a set of 

variables Var{5 x) as follows: M ::= x \ MM \ Xx.M \ FI. 

2. The set of (possibly) indexed terms yl(l7)^(9 M) is the superset of A{f2) 
defined as follows: M ::= x \ MM \ Xx.M \ FI \ M". 

3. A term is truly indexed if it is of the shape M". A term is completely 
indexed if all its subterms of the shape constant, variable, abstraction, and 
application are immediate subterms of truly indexed terms. 

The intended meaning of an indexed term M” is the n-th projection of the 
interpretation of the term M . Hence we give: 
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Definition 21. Let D = {D,ip) be in T>* . The interpretation of a term M G 
(whose free variables are among the list A = {xi , . . . , x „} ) in the model 
Ifl 

is the strategy |M]^ : \[D & ... & D) — o D defined inductively as follows: 

- IxijA = 

- iMNjD = ev o {{<p o |M1£) , iNjD); 

-lXx.MjD = f;oA{ iMlgj; 

- = o |M1£; 

- 1^1^ = o-£/ 

where nf are the canonical projection morphisms, ev and A denote “evaluation” 
and “abstraction” in the Cartesian closed category K\(Q), = [{e}], V" = 

and the Pn are the strategies defined in Proposition 2. 

Given strategies a, r with codomain D, we use the abbreviation a -t to denote 

n 

the strategy evo([(fo a), t), and we will denote with the game D &...& D. 

The main result of this section is Theorem 6. In order to establish it we need 
several preliminary results. 

Lemma 2. For each model D = {D*,ip) in T>* , for each game A and pair of 
strategies a,r : !A — o D* , we have: 

- {Pqo a) - T = {po o a) ■ ae = Po o {a ■ erf) 

- {Pn+l o cr) • T C Pn+I O {cT ■ {pn O t)) Vu S N. 

Notice that in the statement of Lemma 2.2, we have not taken equality but 
only inequality. This is done in order to be able to deal simultaneously not only 
with models in T>* , but also, in Section 5, with models obtained using the trick 
of Scott outlined in Section 2. 

The following Lemmata and Definitions follow closely the pattern of [18,12], 
and they amount essentially to the game theoretic version of the corresponding 
“continuous result” . 

Definition 22. The erasing function TZ : A{f2) is inductively defined 

as follows: U{x) = x; n{Q) = Q; U{PQ) = n{P)n{Q), n{Xx.P) = Xx.TZ{P), 

Lemma 3. For each model D = {D* , cp) in T>* , for each term M S A[Q) whose 
free variables are in A, given a finite strategy a : — o D* s.t. a C |M]^ 

there exists a natural number n s.t. ct G 

Lemma 4. For each model D = (D* , p) in T>* , for each term M £ A{Q) whose 
free variables are in A, given a finite strategy a : ° D* s.t. a C |M]^ 

there exists a completely indexed term Q £ such that TZ{Q) = M and a C 

m^A- 

Lemma 5. Let a : A, then a = U{r : I r finite and t C it}. 
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Proposition 4. For each model D = (D*,ip) in V* , for each term M € A, 
|M]^ = U{IQ1^ I <5 is a completely indexed term s.t. TZ{Q) = M}. 

Definition 23. The following reduction rules are definable on A{Q): 

(l?i) Xx.Q Q (1?2) nM Q. 

The following reductions are definable on completely indexed terms of A{f2)^ : 

{f2^) Xx.n^ 

iPi) ((Aa;.P")'"+i(3P)^ ^ iP[x/Q^])'^ 
where b = min{n, m + 1, h}, a = min{m,p} 

(/3o) {{Xx.P)°Q)^ ^ {P[x/f2])° 

Notice again that the above definition of the (/3j) indexed reduction rule and 
the statement of the following Theorem are not formulated as in [18], but are 
relaxed so as to take care of the model (see Section 5). 

Theorem 4 (Validity of indexed rednction). For each model D — {D*,(p) 
in P* , the rules (f?"), {^ 2)1 {Pi)i iPo) 0 ,'^d (Pij) are valid in the following sense: 
let P,Q € d(f?)'^ then: {P Q) I^Ia ^ IQIa- 

Lemma 6. A completely indexed term Q is fTf [do [3 i[3ij -normalizing. 



Lemma 7. For each model D = {D* , ip) in P* , for each term M & A, |M]^ = 
Uim2 I 3Q completely indexed term such that TZ{Q) = M and N is the 
P^P^PoPiPij-normal form of Q]. 



Definition 24. The direct approximant of a X-term M G A is a normal form 
A £ A[Q) obtained from M by replacing each redex in M by 17, and performing 
all the fi I fTf -reductions. 



Definition 25. The set 0 / approximants of M is the set A{M) = {A \ 3M', 

M ^I 3 r) M' and A is the direct approximant of M'}. 

Theorem 5 (Approximation theorem). For each model D = {D* , p) in P* , 

for each term M £ A, |M]^ = I ^ ^ A{M)}. 

Theorem 6. For each model D = {D* , p) in P* , Th{D) = TL* . 

Proof, (sketch) Using theorems 4 o,nd 5, the standard argument for the contin- 
uous case (see e.g. [6] Sec. 19.2) can be mimicked in the game setting. □ 
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5 Examples of game models for A/3r7-calculus 

We introduce four extensional A-models in K\{Q). The first three are defined 
using Theorem 2. The first two belong to T>* , while the third does not. The 
fourth is the model obtained by Scott’s trick as outlined in Section 2. 

Definition 26. 1. Let Dq = ({*}, A(*) = OQ, {e, *}, id) and define fo '■ L>q ^ 

(!Dg ^ Dg) by fo{*) = inr{*); 

2. let Dq° = = OQ,X{o) = PQ),{e,*,*o},id) and define /*o : 

^ (!Dg° ^ Dg°) by /*o(*) = and /*o(o) = *?v(o); 

3. let Dq* = ({*, o}, (A(*) = OQ,X{o) = PQ),{e,*,*o},id) and define /** : 
Dq* {IDq* Dq*) by /**(*) = inr{*) and /**(o) = ini{{0, *)). 

Definition 27. The models D'^,D'^,D'^ are determined by the limits of the 
chains generated by iterating the functor Fun on the embeddings /*, /*o, f**, and 
by the corresponding injection ip respectively. 

Definition 28. Let = (N, An.OQ, {e} U N,id). The model D^ is the one 
naturally induced by the least fixed point of the functor F{D) = ID —o An where 
the following chain holds for every n € N; ~ !D^ — ° An !D^ — ° 

(An & An) ~ (!D^ — An) & (!D« ^ An) ~ & D^^, and hence, D^^, ~ 

\D^ - An !(D« & D^) ^ ^ \D^ ^ (!D« ^ An) ^ D^^,. 

One can easily see that D^ is a A-model since any bijection p : N + N ^ N, 
induces an isomorphism between An and An & An- 



6 Conclusions and Final Remarks 

In this paper we have shown that all extensional A-models in the category K\{Q) 
of [3] induce the same A-theory, this is the well-known theory TL* . It is natural 
to conjecture, therefore, that also there is only one non-extensional sensible X- 
theory which can be modeled using games. We recall that a sensible A-theory is 
a theory where all unsolvable terms are equated. This would be the theory B of 
Bohm trees, and would be the theory of any reflexive object in K\{Q), {D, /), 
for which / maps the undefined strategy on !D — ° D on the undefined strategy 
on D, but it is not an isomorphism. 

Our results clearly indicate that existing game models are even more rigid 
than continuous models. But is this really a “surprise”, or a “bad surprise”? 
Definitely there must be some intrinsic feature of games, as they are currently 
defined, that is intimately related with head reduction. Probably it is not the 
fact that we have considered only “history-free” strategies, more likely it has 
to do with the “strict” protocol of alternation of moves between Opponent and 
Player. We feel however that when the appropriate constraint will be relaxed, 
the perspicuous analytic power of games will become applicable also to other 
reduction strategies, besides head reduction. 
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We end this paper with two technical remarks. In the game models of A- 
calculus that we have introduced it is not necessary to take an extensional quo- 
tient at the end in order to get a “fully abstract” model, as is done in the typed 
case [3] or in the lazy case. The essential ingredient in the proof of Theorem 
6 is Lemma 2. The same argument used there implies also that CPO models 
obtained using “Scott’s trick” as presented in [17] induce the theory T-L* . 
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Abstract. Induction-recursion is a schema which formalizes the princi- 
ples for introducing new sets in Martin-Lof’s type theory. It states that 
we may inductively define a set while simultaneously defining a function 
from this set into an arbitrary type by structural recursion. This extends 
the notion of an inductively defined set substantially and allows us to in- 
troduce universes and higher order universes (but not a Mahlo universe). 
In this article we give a finite axiomatization of inductive-recursive defin- 
itions. We prove consistency by constructing a set-theoretic model which 
makes use of one Mahlo cardinal. 



1 Introduction 

In this article we present an elegant, uniform method for introducing large sets in 
type theory. We draw on experience from proof theory, category theory, and set 
theory to formulate a compact, completely formal theory of inductive-recursive 
definitions, and to prove its consistency. 

Induction-recursion is a schema for introducing new sets in type theory de- 
veloped by Dybjer [18]. All the usual sets in Martin-Lof’s type theory and 
practically all sets (data types), which are defined in analogy with it, are in- 
stances of this schema. Applications of induction-recursion include not only 
a variety of type-theoretic analogues of large cardinals (inaccessible cardinals, 
hyper-inaccessible cardinals, etc) but also various powerful notions needed for 
the type-theoretic formalization of metamathematics (such as reducibility pred- 
icates and logical relations for dependent types). Induction-recursion can also 
provide novel ways to formalize simple concepts such as the set of lists with 
distinct elements [18]. 

The original presentation of induction-recursion was as an external schema 
[18]. In this article we internalize this concept. The new theory has a special 
type of codes for inductive-recursive definitions. New sets defined by induction- 
recursion are introduced by deriving codes in this type. Therefore we achieve full 
precision of the concept of an inductive-recursive definition. The meta-theory 
becomes easier, as will be demonstrated by building a full function space model. 
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Ordinary dependent type theory with generalized inductive definitions (that 
is, Martin-L6f ’s type theory without universes) has a natural full function space 
interpretation in classical set theory [5,20]. As shown by our construction of 
a set-theoretic model the step from inductive to inductive-recursive definitions 
in type theory is roughly analogous to moving from ordinary ZF set theory 
to ZF set theory with a Mahlo cardinal. The proof-theoretic strength of type 
theory increases accordingly when inductive-recursive definitions are added. The 
consistency of the theory is shown without assuming the positivity restriction on 
parameters needed for Dybjer’s original realizability model of inductive-recursive 
definitions [18]. 

The new theory explains that induction-recursion can be viewed as a very 
general reflection principle: given finitely many (possibly infinitary) operations 
on a type U, we can construct by simultaneous induction-recursion a universe U 
with decoding function T : U H, which reflects each of the H-operations. This 
reflection principle can be expressed formally by a diagram which extends the 
initial algebra diagram used for categorical semantics of inductively defined sets. 
The resulting theory has been implemented in the Half system, a proof assistant 
for Martin-Lof’s type theory developed by Coquand and Synek, see Cederquist 
[15]. 

Plan of the paper. In Section 2 we present Martin-Lof’s Logical Frame- 
work. In Section 3 we recall how to use initial algebras for giving categorical 
semantics of inductive types in the simply typed lambda calculus. In Section 4 
we discuss the step from induction to induction-recursion and how we need to 
modify the notion of an endofunctor ^ and of an initial ^-algebra in order to 
capture the formal rules for induction-recursion. We then show how to give a 
finite axiomatization of inductive-recursive definitions by introducing a type of 
codes for such modified endofunctors. In Section 5 we show how to recover some 
well-known set constructors by giving appropriate codes. In Section 6 we build 
a set-theoretic model. In Section 7 we mention some related work. 

2 An Extension of the Logical Framework 

The Logical Framework (see [21]) has the following forms of judgements: 
r context, and A : type, A = B : type, a : A, a = b : A, depending on contexts F 
(written as T =^> A : type, etc.). We have set : type and if A : set, then A : type. 
The collection of types is closed under the formation of dependent function types 
written as (a; : A) — >■ B, with elements formed by abstraction (x : A)a, appli- 
cation written in the form a(b) and which has the 77 -rule. Types are also closed 
under the formation of dependent products written as {x : A)x B, with elements 
(a, 6), projections ttq and tti and again the 77 -rule (surjective pairing). There is 
also the type 1, with unique element () : 1 and 77 -rule expressing, that if a : 1, 
then a = {) : 1. 

We will add a level between set and type, which we call stype for small types: 
stype : type. (The reason for the need for stype is discussed in [18].) If a : set 
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then a : stype. Moreover, stype is also closed under dependent function types, 
dependent products and includes the one-element type. However, set itself will 
not be in stype. 

Finally, in order to make it possible to code all constructors into one (see the 
remark on page 132), we add the set B of booleans with elements tt for true and 
ff for false and as elimination rule case distinction if a then b else c : D for a : B, 
D : type and b,c : D. 

We also use some abbreviations, such as omitting the type in an abstrac- 
tion, that is, writing (x)a instead of (x : A)a, and writing repeated applica- 
tion as a(bi, . . . , bn) instead of a(bi) • • • (bn) and repeated abstraction as (xi : 
Ai, . . . ,Xn '■ An)a instead of (xi : A{) ■ ■ ■ (xn '■ An)a. 



3 Inductive Types as Initial Algebras 



Let us first consider the question of how to formalize inductive types in the 
setting of the simply typed A-calculus. We shall consider generalized inductive 
definitions of types given by a finite number of constructors 

introj : ^i(U) ^ U , 



where are strictly positive in the following restricted sense: 

— The constant functor <1?{D) = 1 is strictly positive. This is the base case 
corresponding to an introduction rule with no premises. 

— If is strictly positive and A is an stype, then <1?{D) = Ax 'P(D) is strictly 
positive. This corresponds to the addition of a non-inductive^ premise. 

— If is strictly positive and A is an stype, then $(D) = (A ^ D) x 'I'{D) is 
strictly positive. This corresponds to the addition of an inductive premise, 
where A corresponds to the hypotheses of this premise in a generalized in- 
ductive definition (and when A = 1 we have the special case of an ordinary 
inductive definition). 

Note that all occurrences of U in ^(U) are strictly positive in the standard sense 
that U does not occur to the left of an arrow in ^(U). 

Assume <Pi, . . . , <Pn are strictly positive functors, and let := (^i, . . . , 
Then the inductive type generated by can be captured categorically as an 
initial -algebra, that is, a sequence of arrows (i = I, . . . , n) 



^.(U) 



intro. 



U 



such that for any other -algebra 

^fiD) D 

^ In [18] the terminology “non-recursive premise” was used, but “non-inductive 
premise” seems better in connection with induction-recursion, since it primarily has 
to do with the inductively defined set and not with the recursively defined function. 
Similarly we will use “inductive premise” instead of “recursive premise” . 
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there is a unique arrow T : U — > D, such that the following diagrams commute 



^i(T) 



MD) 



di 



D 



4 Inductive-Recursive Definitions 

4.1 Prom Inductive to Inductive- Recursive Definitions 

In the presence of dependent types more inductive definitions become possible. 
Let us look at some examples: 

The set T'(4, B) has one constructor p : [x : A) ^ {y : B{x)) T'(4, B). It 

has two non-inductive arguments, where the type B{x) of the second argument 
depends on the first premise x : A. 

The well-ordering set W{A,B) has one constructor sup : {x : A) ^ {y : 
B{x) W{A,B)) W{A,B). It has a first non-inductive argument x and a 

second R(x)-indexed inductive argument y. So the second argument depends on 
the first non-inductive argument. 

Both are examples of inductive definitions (no simultaneously defined func- 
tion participates in the definition yet). For this case later premises can only 
depend on earlier non-inductive premises, but not on earlier inductive premises. 
We cannot make use of inductive premises, because they only give information 
about the set we are currently defining. 

To capture inductive definitions of sets in the presence of dependent types 
[20,1], we thus only need to change the notion of a strictly positive functor <3? 
above by replacing the non-inductive case by: 

— If 4 is an stype, and fi'x is a strictly positive functor depending on x : A, 

then ^{D) = {x : A) x is strictly positive. 

We shall now replace the sequence of functors (^i, . . . , 3>n) by a single functor 
by defining 3?{D) := {x : N„) x <3>x{D). In order to make this possible we need 
the existence of finite sets with n elements N„. An easy observation shows that 
B and the empty set No suffice. (It will however be possible to define Nq, see 
section 5). 

In the case of inductive-recursive definitions however, a later premise may 
also depend on an earlier inductive premise. We consider the key example, the 
ordinary first universe U a la Tarski [3], which is defined inductively, while si- 
multaneously defining the decoding function T : U ^ set recursively. Consider 
one of its constructors, E : {x \ ^ {y : T(x) ^ U) ^ U with the defining 

equality T(i7(a, b)) = T'(T(a), T o 6) : set. Here we have two inductive premises: 
X : U (implicitly indexed by the one-element type I) and y : U indexed by T(x). 
The second argument depends on the first inductive argument via T. 
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Is U inductively generated by a strictly positive functor ^ as was the case 
for inductively defined sets? If this is the case, ^ must depend on the recursively 
defined function T as well: we need something like <P : {U : set) {T : U ^ 
set) set defined by ^{U, T) = {x : U) x {T{x) — U)\ 

In general, induction-recursion allows that a simultaneously defined function 
T : U ^ D for an arbitrary fixed type D may participate in the inductive 
generation of the set U. 

— The modified non-inductive case thus becomes: if A is an stype, and \['x is 
a strictly positive functor depending on x : A, then <P{U, T) = {x : A) x 

T) is strictly positive. 

— The modified inductive case becomes: if A is an stype, and 'Fg is a strictly 
positive functor depending on g : A ^ D, then <^{11, T) = {f : A ^ U) x 
FTof{U,T) is strictly positive. 

We see that the ^ which generates U (as defined above), is isomorphic to the 
following strictly positive functor: ^{U,T) = {f : 1 ^ U) x (T(/(())) U) 
Furthermore, T is defined by T(U(a, b)) = i7(T(a),T o b), i.e. T(i7(a, 6)) = 
d(T(a), T o b) with d : {A : set) (A ^ set) set and d{A, B) := i7(A, B). 

In general, we need an additional component which specifies the domain 
of d. (Note that this domain only depends on D and not on U and T!). Finally, 
we need a third component ^™®'P(C/, T) : ^“^(C/, T) and then we can 

draw a diagram 



X) U 



^map(u^ T) 



T 



^Arg 



D 



which summarizes the inductive definition of U and recursive definition of T. 
Think of D as a type of “semantic” objects and of d : ^Arg ^ X) as a (possibly 
infinitary) “semantic” operation with ^Arg as the domain (or generalized arity) 
of d. U is a universe of codes for objects in D and T : U D is the decoding 
function. The constructor intro is the syntactic reflection of d : ^Arg ^ jj 3 
Note the similarity between the above diagram for induction-recursion and 
the ordinary diagram for an initial algebra of an endofunctor which was displayed 
in Section 2! The key difference is that here ^ is no longer a functor in the 
ordinary sense, but consists of three components: ^Arg^ ^arg^ ^map^ These 
will be axiomatized below. 

^ As this example shows the term “strictly positive” may no longer be wholly appropri- 
ate, since the T-argument now can appear negatively. Allen [12] used the alternative 
term “half-positive” for this reason. U always appears strictly positively however. 

® Recall that the term “universe a la Tarski” was chosen by Martin-L6f [3] because 
of the similarity between the definition of T (for the ordinary first universe) and 
Tarski’s definition of truth. 
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4.2 A Finite Axiomatization 

We shall now give the formal rules for the inductive-recursive definition of a set 
U and a function T : \J ^ D. Such a definition is always parameterized with 
respect to the target type D of T, since a particular inductive-recursive definition 
generates a universe for a finite number of D-operations. 

The main step is to introduce a new type SPd, the objects of which are 
representatives of strictly positive “functors” ^ as above: 

D ■■ type 

SPu : type 

(There is also a rule, which lets us infer that SPu = SPu' ii D = D', but we 
will omit all such equality preservation rules.) 

SPd has three associated operations corresponding to and 

in the informal exposition above: 

D : type (f) : SP_d 
A rgD,^ : type 



<(>:SPr, C/:set T : U ^ D 

arg,^(f7, T) : stype 

(j):SPD U:set T : U ^ D 

map^(f7,T) : (arg^(f7,T)) ^ Arg^, ,^ 

To simplify notation we have suppressed the parameter (the “global” premise) 
D : type and the argument D for the second and third operation^. It should 
be emphasized that arg^ and map^ are only abbreviations of the proper formal 
expressions arg^ ^ and map^ Similarly, we will suppress the D in some later 
operations as well. 

With this new notation the diagram for the inductive-recursive definition of 
U and T becomes: 



&^g4^4>,d^T^4>,d) 






map^(U0,d,T,^,d) 



T 



(p,d 



Argn.,^ 



d 



D 



4 



In Arg we have not suppressed it, since the equality rules for it will make use of D. 
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We have the following introduction rules for SPd (again with D suppressed): 

nil : SPu 

A stype (j) : A ^ SPd 
nonind(A, ())) : SPu 
A stype (p : {A ^ D) ^ SPd 
ind(A, (p) : SPd 

Argu,„ii = 1 

■^^S_D,nonind(A,{^) ■ -^) ^ ^^^D,(p{x) 

Argu,i„ d{A,(l>) — if ^ ^ D) X 

arg„ii( 17 ,T) = 1 

^^Snonind{A,^)iU,T) = {x : A) X (arg^(^) (17, T)) 

^^Sind{A,,p){U, T) = {f : A ^U)x (arg^(j,„^)(17, T)) 



map„ii( 17 ,T, ()) = () 

^^Pnonind{A,<i,)iU,T,(a,-f)) = (o, map^(„) (17, T, 7 )) 

^^PindiA,4>)iU,T,{f,j)) = {T o/,map^(ro/)(17,T,7)) 

We are now ready to give the formal rules for U and T. These rules have the 
common premises D : type, (p : SPu and d : Arg^, -A D which will be omitted. 

Formation rules: 

U{/i,d ■ ®t:t 
T<f>,d '■ ^ D 

Introduction rule: 

a : a-rg^(U 0 ,d,T 0 ,d) 
intro,^,d(a) : U,^,d 

Equality rule: 

a ■ arg^(U,^,d,T,^,d) 

T,^,d(intro,^,d(a)) = d(map^(U,^,d, a)) 

Moreover, structural recursion on U into a type D' , that is, the analogue of 
universe elimination, is expressed by the following diagram (we omit the indices 
(p, d of U, T, intro, R, write D'[t] for the substitution of some fixed variable in 
D' by t and, when used as an argument, D' instead of [x)D'[x\] assume in the 
following X : => D'[x\ : type as a global premise) 



arg,^(U, T) 



intro 



(id, mapIH^_u_T._D'(RD'(e))) 
(intro o TTo, e) 



(7 : arg^(U,T)) x IH,^,u.t.d'(7) 



U 

(id, Rd'(c)) 
(a; : U) X D'[x] 
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where we have used the operation IH which generates the induction hypothesis 
and the operation mapIH which generates the recursive call: 

17 : set T : {x : U) ^ D x \U ^ D'[x\: type 7 : arg^({7, T) 

IH^. (7) : type 



17 : set T : {x : U) ^ D x : U ^ D'[x] : type R : {x : U) ^ 
mapm^^u,T,D'{R) ■ ■ arg^(17,r)) m^^u,T,D'{x) 



IHnil,;7,T.D'(()) = 1 
lhInonind(A,{/i),f/,T, 

IHind(A, 0 ),C/,T,D'((/, 7)) = {{y ■ D'[f{y)\) X {W-4>{Tof),U,T,D'{l)) 

mapIHjjii 0) = 0 

(0,7)) = mapIH^(„)_y_j._£,,{i?,7) 

mapIHjjjjj^^ (/, 7)) = {Ro /, mapIH^(j^oj) 7)) 

Elimination rule (universe elimination): 

e : (7 : arg^(U^,d, T^,^)) ^ ^ (-P'[intro^,d(7)]) 

R<^,d.D'(e) : (a : U^^d) D'[a] 

Equality rule (universe elimination, premises omitted) : 

R<^.d._D'(e,intro,^,d(7)) = e(7, mapIH^_u^,d,T^,d.-D' (f^<l'.7-D'(e), 7 )) 



5 Examples 

We shall show how to find <f) : SPd for some well-known set constructors. 
(Compare the informal discussion in Section 4.1.) We will write intro instead 
of intro,^^d. Let in the first examples D •.= 1 and d := {x : C)() for some suitable 
type C, since this is how we obtain inductive definitions as degenerate cases of 
inductive-recursive definitions. 

77-sets. Let 

(l>A,B '= nonind(A, (x)nonind(77(x), ( 2 /)nil)) 

in the context A : set, B : A ^ set. It follows that 77(A, B) := ■ set. 

This set has the constructor intro : {{x : A) x (B{x) x 1)) -A- B{A, B). If we 
define p := (A, il, x, y)intro((a:, (y, ()))), then p : (A : set,il : A set,x : 
A, y : B{x)) — > S(A,B) and one can easily derive the ordinary elimination 
rules as if p were the constructor of 77. Note that this illustrates that we 
get dependencies on parameters (in the sense of Dybjer [1,18]) like A, B 
for free. 
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Natural numbers. Let 

(j) := nonind(B, {x) if x then nil else ind(l, (t/)nil)) , 

N := U^,d , 

0 := intro((tt, ())) : N , 

S := (n)intro((ff, ({y)n, ()))) : N ^ N . 

Although this definition is like the definition of N by the equation N = 
1 -I- (1 ^ N) X 1, because of the ry-rule on 1 this is equivalent to the ordinary 
definition of N. The usual elimination rules for N can be derived. 

The empty set. Let 

(f) := ind(l, (a;)nil) , 

and define No := Then we can show the elimination rule for the empty 
set Nq. Note that this corresponds to the definition of Nq by having one 
constructor intro : Nq Nq. We can define now Nq := Unonind(No,(x)nii),d) 
which can be regarded as the empty set with no constructors. However, one 
might prefer to add the set Nq like the set B as a basic set. 

Well-orderings. Let 

(t)A,B ■= nonind(A, (x)ind(H(a;), (y)nil)) , 

in the context A : set, B : {x : A) ^ set, and define W(A, B) := '■ set 

with the constructor intro : {{x : A) x {{B(x) W(A, B)) x 1)) ^ W(A, B). 
As before we can define the ordinary constructor sup with its elimination 
rules. 

A universe closed under N and S. Let D := set, 

4> := nonind(B, {x) if x then nil else ind(l, (/)ind(/(()), (y)nil))) . 
Hence Arg^_^ = (a; : B) x E(a;), with 
E(tt) = 1 , 

E(ff) = (x : 1 set) x (/ : x{()) set) x 1 . 

Moreover, let d : Arg^ ^ set be defined such that 

d((tt, ())) = N , 

d{{S, {A, {B, {))))) = B{A{{)),{y)B{y)) , 

using the elimination rules for B and product. Define U' := T' := 
and 

N := intro((tt, ())) : U' , 

£ := (a, 6)intro((ff, ({x)a, {b, ())))) ; (a : U', 6 : T'(a) ^ U') ^ U' . 

N and E are essentially the two constructors of the universe U',T' and we 
have T'(N) = N, T'(r(a, b)) = E{T'{a), V o b). 
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Lists with distinct elements. Assume A : set and # : (A x A) — A, where 
# is an (infix) apartness relation on A. In [18] the set Dlist of lists with ele- 
ments which are distinct with respect to the relation ^ is defined inductively 
together with the recursively defined relation (family of sets) Fresh : Dlist — ?> 
A ^ set, where Fresh (1, a) expresses that a is distinct from all elements in 
1. (If we wish to make the dependence on the parameters A and ^ explicit, 
we may write Dlist(A, and Fresh(A, ^).) Dlist has the constructors^ 

empty : Dlist , 

cons : {a : A,u : Dlist, Fresh(u, a)) Dlist , 
and Fresh (1, a) is defined such that 

Fresh(empty) = {b)l , 

Fresh(cons(a, u,p)) = (6)((6#a) A Fresh(u, a)) . 

Then Dlist = Fresh = where D := A ^ set, 

4>a,# '■= nonind(B, (x) if x then nil 

else nonind(A, (a)ind(l, (M)nonind(u((), a), nil)))) , 
dA,#((tt, ())) = (6)1 , 

dA,#((ff, (a, {u, (p, ()))))) = (6)((6#a) A u{{),a)) . 

The above examples show that we can derive all inductive-recursive sets in a 
form, which is close to the way we would ordinarily like to write them down. 
We must for example write the arguments in list notation and, if we have a 
non-indexed inductive argument, write it as an argument depending on the type 
1. In an implementation of the calculus one could of course easily avoid this 
administrative overhead. 



6 Set-Theoretic Model 

6.1 Interpretation of Expressions 

The idea behind the model is simple: interpret all constructions in set theory 
in the obvious way! In particular, each type is interpreted as a set, equal types 
are interpreted as equal sets, a : A is interpreted as a G A, and a = 6 : A is 
interpreted as a and 6 are equal elements of A. Moreover, A — >■ i? is interpreted 
as the set of all functions from A to i? in the set-theoretic sense, and {x : A) ^ B 
as the set-theoretic cartesian product etc. 

The inductively defined type SPd of codes for strictly positive operators is 
interpreted as an inductively defined set in the set-theoretic sense, that is, as a 
set generated by iterating a monotone operator up to a fixed point. Similarly, the 
inductive-recursively defined set U and function T : U ^ D, are also interpreted 
by iterating a monotone operator up to a fixed point. 

® We have here renamed the constructor nil in [18] to empty. 
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In order to ensure that a fixed point indeed can be reached we postulate the 
existence of one Mahlo cardinal in addition to the ordinary axioms of ZF set 
theory.® We also need the the axiom of choice to deal with cardinals, and for 
simplicity we assume the generalized continuum hypothesis.^ 

Note, that a cardinal k is inaccessible, iff it is regular and = k, where 
enumerates the infinite cardinals. An inaccessible cardinal fc is a Mahlo cardinal, 
iff every normal function f : k ^ k has a regular fixed point. (A normal function 
/ is a (strictly) monotone function, which is continuous at limit ordinals A, i.e. 
/(A) = supo,^;^ f[oi)-) The standard model of our extension of ZF is A^m+! where 
M+ is the first inaccessible above M, however all types will be interpreted as 
elements of A^yi, where A is the first (non-regular) fixed point of Aa.Ka above M. 

We will develop the semantics following the approach in [20]. Let Aq := Hm-k, 
A„+i := Ka„, and A := sup„g,^ A„. 

If a, oi, . . . , On, c are sets, and 6 is a function with domain a, let 

IIx£ab{x) :={/]/ function A dom(/) = a A V* * S a.f{x) € b{x)} , 

Xx S a.b(x) := {(*, b(x)) | a; S a} , 

Sj:^ab{x) := {(c, d) I c e a A d G 6(c)} , 

oo H h a„ := Si^{o,...,n}ai (if n > 1) , 

{a c) := ITxeaC . 

Moreover, (a), := Oi, if a = (oq, . . .,ai) and undefined otherwise. 

Whenever we introduce sets indexed by ordinals a, let in the following 

:=\J A<^ . 

(3<a 

We shall use the set Vyi as the set-theoretic universe for our interpretation. 
All types and objects of types will thus be interpreted as elements of Vyi Terms 
which depend on free variables will be interpreted relative to an assignment p, 
that is, a function, which maps a finite set of variables to elements of A^yi. In the 
following p (possibly with indices or accents) will always be an assignment. If 
a G Vyi, then p“ is the assignment with dom(p“) := dom(p) U {*}, such that 



Pxiy) ■■= 




iix = y, 
otherwise. 



Let terms be the set of expressions which possibly occur as elements of a type or 
as types: So variables are terms and if a, 6, oi, . . . , a„ are terms, a; is a variable, 

® In Sect. 7 (“Constructive versions of the model”) we will discuss how to replace these 
strong set theoretic requirements by far weaker ones. 

Without the generalized continuum hypothesis one has to replace Mahlo and inac- 
cessible by strongly Mahlo and strongly inaccessible, respectively, and a by a. 

* We here use a notion of model which only requires all derivable types to be inter- 
preted as elements of Vyi. Note however that Vyi is not closed under the formation 
of dependent function types. If we wish to satisfy this requirement we can either 
reinterpret type as the class of all sets or as Vi for some inaccessible cardinal I > M. 
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and C is an n-ary constructor (including set, stype and constructors like (•,•), 
TTo but excluding type) of the system, then (x : a) ^ b, {x : a)b, {x : a) x b and 
C{ai , . . . , On) are terms. 

For terms t and assignments p we will determine, whether its interpretation 
t* is defined, and if it is defined, the value of t*. This will be done in such a 
way that for every term t and every n G ui there exists an m £ w such that, 
if rng(/9) C Va„, tp £ Va„- For closed terms, t* will not depend on p and we 
therefore omit the subscript p. We will use ~ for partial equality in the usual 
sense, and also let t* s mean that the interpretation of t under assignment p 
is defined to be s, provided s is defined, and is undefined otherwise. We extend 
this definition further by defining 

type* :=Va . 



The interpretation of terms is given by 



*p — P(x) , 

((x : A) ^ B); 

(a(b))* a*(b*p) , 

(a,b)* (a*p,b*p) , 

(7Ti(a))* (a)i , 
()*:=^0 , 



set* stype* Vm , 

, {{x : A)a)*p Xy £ A;.a*„ , 
((a; : A) x B)^ Sy^A*B*y 
(7To(a))* (a)o , 

1 * 1 , 

B* :~{0,1} , 



tt* 0 , 

(if a then b else c)* 



ff* 



K 



undefined 



-1 , 
if a* = 0 , 
if a; = 1 , 
otherwise . 



To interpret terms with constructors SP, nonind, ind, Arg, . . . , we first define 
SP*, nonind*, ind*, Arg*, arg*, map*, IH*, mapIH*, U*, T* and interpret 



(sp^); sp*(u;) , 

(nonind(a, 5))* nonind* (a*, b*p) , 

(Argu,,^)* Arg*(D*,(?!)p , 

(map^.^(C/,T)); Ax £ arg* (D;, C/p*, Tp*).map*(D;, C/p*, Tp*, x) , 



SP*(U) is defined for D £ type* as the least set such that 



SP*(£») = 1 + A,g,et*(a ^ SP*(D)) + A,g,et*((a D) ^ SP*(£»)) , 



which we get by iterating the appropriate operator n times, if for all a £ set* 
the cardinality of a and of a U is less than k. If U £ Va„, therefore SP*{D) £ 



nil* (0, 0), nonind* (a, b) (1, (a, 6)), ind* (a, b) (2, (a, b)) . 

Avg* {D,(j)) is defined, U cj) € SP*(U), and then defined in accordance with the 
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equations for Arg, that is, 

Arg*(U,nir) -1 , 

Arg*(£), nonind*(A, (/))) {D, cj){x)) , 

Arg*(H,ind*(A,(/))) Arg* (U, (/>(/)) . 

Similarly, we define aig* {D, (p,U,T), map* {D, (p,U,T, a), and for D' G {U ^ 
type*), m*{D,(j),U,T,D',j), maplR* {D, <j),U,T, D' , R, a). 

T*{D, (P, d) Ai G (p, d).T^{D, <P, d, x) , 

where \]°‘{D,(p,d) and T°‘{D,cp,d) or shorter U“ and T“ are simultaneously 
defined by recursion on a as 

U“ :~arg*(D,<^,U<“,T<“) , 

T“(a) :~d(map*(U,(?!>,U<“,T<“,a)) , 

intro(a)* a* , 

R*(U, (pi d, D', e, a) R^{D, (p, d, D' , e, a), where 

R“(L», (p, d, D', e, a) e(a, mapIH*(D, (P, U*(£», (p, d), T*{D, <P, d) , 

D',R<“(£»,(/.,d,D',e),a)) . 

Contexts will be interpreted as sets of assignments: 

0* :c.0 , (r,x:A)* {pi \ p G F; ^ a G A^] . 



6.2 Soundness of the Rules 
Theorem 1. (Soundness theorem) 

(a) If F context, then F* is defined. 

(b) If \- F ^ A : E, where E = type or E is a term, then F* is defined, 

Vp G F*.A* G E*, and if E ^ type, Vp G F*.E* G type*. 

(c) If \~ F A = B •. E , where E = type or E is a term, then F* is defined, 

Vp G F*{A; gE;aB;= a;), and ifE^ type, Vp G f*.e; G type*. 

(d) \/ a : No, where No is the empty set, for any of the possibilities mentioned in 
Section 5. 

The proof of the Soundness theorem is more or less routine, except for the 
verification that U : set. In order to prove this we will need some lemmata. 

First we need to verify that U“ is increasing with a and that for a < (3 T“ and 
T^ coincide on U“. In order to prove this we need to verify that arg*(U, <p, U, T) 
and map*(H, (p, U, T) are monotone in U , T, as expressed by the following lemma: 
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Lemma 1. Assume D G type*, (p G SP*{D), U C U' G set*, T' : U' ^ D, 
T = T U. Then 

(a) aig*{D,(j),U,T) C aig*{D,(j),U',T') and 

(b) map*(U, (P, U\ T) arg*(L>, <P, U, T) = <P, U, T). 

We want to show that there is a k < M such that = U''. This is the 
case if re is a limit ordinal such that Big*{D,(p,U,T) is re-continuous in U and 
T, that is, 

arg*(A(/>,U<«,T<'=) = U arg*(A</>,U“,T“) . (1) 

OL<K 



To obtain this we need that all index sets, which start an inductive argument, 
have cardinality less than re. The set Aux(D, cp, U, T) G set*, where D G type*, 
(p G SP*(D), U G set*, T G U ^ D, collects all possible such index sets. It is 
defined by induction on cp: 

Aux(U, nil*, [/, r) := 1 , 

Aux(D, nonind*(A, (p), U, T) := Uj:^aA.ux{D, (p{x), U, T) , 

Aux(D, ind*(A, cP), U, T):=A + Aux(D, <P{T o /), U, T) . 

Lemma 2. Assume D G type*, <p G SP*(D). Let re he inaccessible and let for 
a < re C/“ G set*, T°‘ : U°‘ ^ D such that for a < P, U°‘ C U^, T“ = C/“. 

Assume also for some ao < k and for all ao < a < k 

Aux(D,<^,C/“,r“) G K . (2) 

Then aig* {D,(p,U,T) is n-continuous in U and T, that is, (1) holds. 

Proof: “D” follows by Lemma lb. 

“C” follows by induction on <p. We treat only the main case (p = ind*(A, 7 ). 
Assume a G aig*{D,(p,U^'^,T^'^), and show a G aig* {D,(p,U°‘,T°‘) for some 
a < K. We know a = (/, c) for some f : A ^ U^'^, c G aig*{D,j{T^'^ o 
/), By (2) it follows A G Vk, and by the inaccessibility of re there 

exists a /3 < re such that f : A t/<^, especially f : A ^ . W.l.o.g. ao < P- 

For P < a < K it follows Aux(£l, 7 (r“ o f),U°‘ ,T°‘) G W and therefore by 
induction hypothesis there exists a P' such that c G arg*(D, 7 (T^ of), ,T^ )■ 
With a := max{/3, /3'} follows the assertion. □ 

Lemma 3. Assume p G SP*(U), s G Arg*{D,p) -G D. Abbreviate U“ := 
U“(D, p, d), T“ := T“(D, p, d) and note that U*(D, p, d) = U'^, T*(U, p, d) = 

(a) T“ : U“ ^ D, and i/ a < M, U“ G Vm • 

(b) Ifa<P then U“ C and T^ U“ = T“. 

(c) There exists re < M such that U“ = (and therefore T“ = T'^J for all 
a > K. 

(d) U“ G Vm, arg*(L», p, U“, T“) C U“. 
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Proof: 

(a) Easy induction on a. 

(b) Induction on a, /3, by using Lemma 1(b). 

(c) Define / : Ord Ord by transfinite recursion: 

f{P) = min{a | V/3' < /3(/(/3') < a) A 

V/3' < M(U'^' u Aux(D, cj), U'^', T^') C V„} 

/ : M M follows immediately by M being inaccessible, since 

{U^^' I /3' < M A C v^} e V^+i C Vm . 

Let for a < M 9{a) := /“(O). By the regularity of M we have d : M M. 
Since / is increasing, 9 is normal. Hence, since M is Mahlo, 9 has an inaccessible 
fixed point k < M. 

Therefore f : k ^ k: Assume a < k. k is a limit ordinal, therefore a < 9(J5) 
for some f3 < k, f{a) < f{9{P)) = 9{f3+l) < 9{n) = k. By induction on a, using 
the regularity of k, for a < k U“ S V„, Aux(D, (j), U“, T“) £ and therefore 
by Lemma 2 

U'' =arg*(D,((.,U<'',T<'') 

= U arg*(D,<(.,U“,T“) 

Oi<K 

= (J U“+^ = U<''. 

OL<K 

By induction on a for all a > k U“ = = U'^. 

(d) G Vm, arg*(D, (/., U“, = arg*(D, (/., T«) C C U’^. □ 

7 Related and Future Work 

Universes in type theory. The first example of an inductive-recursive defi- 
nition in type theory was Martin-L6f ’s universe a la Tarski [3] . ® Then Palmgren 
[22] defined external and internal universe hierarchies and also a super universe. 
Rathjen, Griffor, and Palmgren [23] defined quantifier universes and Palmgren [2] 
defined higher order universe hierarchies. All these constructions use induction- 
recursion, whereas Setzer [10] defined a Mahlo universe, which goes beyond it. 

Inductive definitions in type theory. Previous work on formalization 
of inductive definitions in Martin-Lof’s type theory has mainly used external 
schemata in the style of Martin-Lof’s intuitionistic theory of iterated inductive 
definitions in predicate logic [17]. See for example Backhouse [19], Dybjer [1], 
and Paulin [16]. A schema for inductive-recursive definitions was introduced by 
Dybjer [18]. 

® There are earlier examples of informal inductive-recursive definitions, for example, 
Martin-Lof’s simultaneous definition of the notions of computable type and term 
[4] from 1972. However, the explicitly inductive-recursive nature of type-theoretic 
universes was only brought out when they were formulated a la Tarski rather than 
a la Russell. 
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Categorical semantics of inductive types and of universes. The cat- 
egorical semantics of inductively defined dependent types has been discussed 
for example by Coquand and Paulin [14] and Mendler [11]. The latter arti- 
cle also discusses categorical semantics of universes in type theory. In a future 
article we plan to extend Mendler’s work, by giving categorical semantics of 
inductive-recursive definitions in terms of initial algebras on endofunctors in 
slice categories. We will also show how such semantics suggest an alternative 
finite axiomatization of inductive-recursive definitions. 

Set-theoretic semantics of type theory. It is well-known that Martin-L6f ’s 
type theory has a “naive” fnll fnnction-space model, see for example the introduc- 
tion in Troelstra [7]. Dybjer [20] gives a full function space model of Martin-L6f ’s 
type theory with an external schema for inductive definitions. Aczel’s recent ar- 
ticle [5] contains further information abont set-theoretic interpretations of type 
theory. 

Large cardinals in set theory. Induction-recursion gives quite a general 
approach to type-theoretic analognes of large cardinals in set theory. See for 
example Drake [9] for an introduction to large cardinals. Induction-recursion 
gives rise to analogues of for example inaccessible, hyper-inaccessible cardinals, 
and more generally Mahlo’s 7r-numbers [23], but does not justify the definition 
of a set, which is an analogue of a Mahlo cardinal. However, the type of sets has 
closure properties similar to those of a Mahlo cardinal. 

Constructive versions of the model. The current model requires much 
more proof theoretic power than is actually needed: the strength of the type the- 
ory considered is very weak relative to ZF, even without any addition of large 
cardinals. Aczel [5] shows that the set theoretic models interpret as well the 
principle of excluded middle of type theory, an enormous strengthening of the 
type theory. In order to get a model in a theory which has the same strength, 
Aczel modifies the model and replaces ZF by constructive set theory CZF. One 
can as well define a model in a theory of the same strength by giving a realiz- 
ability interpretation in Kripke-Platek set theory extended by a recnrsive Mahlo 
ordinal and uj admissibles above, extending [24,25,6]. Both models require some 
extra work, which exceeds the space available in this article.^'* 

Proof-theoretic strength of type theory. It should be easy to develop a 
term model of the theory in KPM'*' used in [6] for the interpretation of Mahlo 
type theory. Such a model, which will make use of a (countable) recursive Mahlo 
ordinal and oj admissibles above it only, would show that the strength of the 
current type theory is at most as big as the Mahlo nniverse. On the other hand, 
set can be seen as being almost a Mahlo-universe, since we have induction over 
arbitrary types. What is missing to get the full strength is the possibility of 

The interpretation in the extension of Kripke-Platek set theory will be presented in 

an extended version of this article. 
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having the W-type on top of the nniverse. In [13] together with [26], [25], [8] it 
was shown that in case of one universe such a restriction reduces the strength 
from jKPI"''] to jKPIj and with a similar argument for the lower bound as in 
[13] it is very likely that using the Mahlo-feature of set we have a lower bound 
jKPMj. Therefore it seems that the strength of our theory lies in the interval 
[IKPM], 1KPM+]]. 

Inductive-recursive definitions seem to cover what is by many (but not all) 
researchers considered at the moment as predicative type theory. Even if some 
extensions are not covered by our calculus, it seems unlikely that such extensions 
will get beyond the strength of the Mahlo universe. This indicates that Mahloness 
is a natural boundary in the world of predicativity, which can only be crossed 
by adding principles such as the existence of the Mahlo universe as a set. The 
second author regards such principles as predicatively justifiable. 

Inductive-recursive definition of indexed families. The external schema 
by Dybjer [18] considers the more general case of the simultaneous inductive- 
recursive definition of a set-indexed family of sets and functions. The present 
finite axiomatization can be extended to this case too, but we postpone the 
presentation of this to a future article. 
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Abstract. We introduce a notion of Grothendieck logical relation and 
use it to characterise the definability of morphisms in stable bicartesian 
closed categories by terms of the simply-typed lambda calculus with 
finite products and finite sums. Our techniques are based on concepts 
from topos theory, however our exposition is elementary. 



Introduction 

The use of logical relations as a tool for characterising the A-definable elements 
in a model of the simply-typed A-calculus originated in the work of Plotkin [10], 
who obtained such a characterisation of the definable elements in the full type 
hierarchy using a notion of Kripke logical relation. Subsequently, the more gen- 
eral notion of a Kripke logical relation of varying arity was developed by Jung 
and Tiuryn, and shown to characterise the definable elements in any Henkin 
model [4] . Although not emphasised in [4] , relations of varying arity are power- 
ful enough to characterise relative definability with respect to any given set of 
elements considered as constants. The full generality of the approach is demon- 
strated in Alimohamed [1] , where such relations are used to characterise relative 
definability in an arbitrary cartesian closed category. 

In general, results about the pure simply-typed A-calculus extend easily to 
analogous results for systems containing finite product types. This is not the case 
for finite coproduct (sum) types. Although the equational theory of bicartesian 
closed categories provides a basic formal system, the syntactic techniques used to 
study systems without coproducts fall over in their presence. Two fundamental 
properties of this equational theory, decidability (Ghani [3]) and its completeness 
relative to the equalities valid in the category, Set, of sets (Dougherty and 
Subrahmanyam [2]), were established only recently. It is apparently still an open 
question whether the finite model property holds for this theory (although it is 
inconceivable that it does not). Also, both the above results have been proved 
only for nonempty sums (i.e. with the empty type omitted). 

In this paper, we extend the logical relations characterization of relative de- 
finability to the simply-typed A-calculus with products and sums (including the 
empty type). As might be expected, this requires some development of the theory 
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of logical relations. It turns out that what is needed is a natural generalization 
of Kripke logical relations of varying arity, in which the base poset (or, more 
generally, category) for the relation is endowed with a Grothendieck topology [6] . 
Using such Grothendieck logical relations, we characterise relative definability in 
any bicartesian closed category in which the finite coproducts are stable (as is 
the case in Set). We do not know if the characterisation extends also to the non 
stable case. 

From the categorical point of view our results are best explained in terms 
of glueing [12,1]. However, for this conference version of the paper, we keep our 
exposition elementary, in the hope that it will be accessible to most type theorists 
with some background in categorical semantics. 

It should be said that the research in this paper originated as part of a 
strategy conceived by the authors for attacking the full abstraction problem for 
call-by- value FPC (which includes finite sums). Kripke logical relations of vary- 
ing arity had already been used to obtain full abstraction for PCF by O’Hearn 
and Riecke [8]. The extension of these results to FPC seemed to us to require an 
additional analysis of both partiality and sums. This line of research was never 
fully pursued because similar full abstraction results for FPC were soon obtained 
by Riecke and Sandholm [11]. However, their treatment of coproducts is some- 
what ad hoc (although one does get the feeling that a Grothendieck topology 
is at work behind the scenes). We believe that it would be very worthwhile to 
integrate our more conceptual approach to coproducts into the full abstraction 
picture. 

It seems likely that the notion of Grothendieck logical relation will have other 
applications. For example, the lengthy and heavily syntactic proof of equational 
completeness relative to Set in [2], has hints of Grothendieck toplologies within 
it. It is plausible that Grothendieck logical relations will lead to simpler and 
more general such completeness proofs. 



1 Simply typed lambda calculus with sums 

The language we work with is a simply-typed A-calculus with additional types for 
finite products and sums. In this section we describe the syntax of the language, 
and its interpretation in any bicartesian closed category. 

SyntELx. We use T, ... to range over a set T of base types, and t, . . . to range 
over types which are specified by the grammar below. 

r ::= T j n -?■ T 2 ] x(")(ti, ...,Tn) \ ■■■,Tn) n e N 

We write 1 and 0 for x^°^() and respectively. We use n-ary products and 

sums as primitive to emphasize that all our definitions for the zero-ary cases are 
just the natural instances of the general n-ary scheme. This is of particular inter- 
est in the case of the empty type 0, which is generally thought of as troublesome, 
and often omitted from consideration altogether [3,2]. 
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We use X,... to range over a countably infinite set of variables. A (type) 
environment is a finite sequence xi : ri, . . . , x„ : where all the variables are 

distinct. We use 7^, ... to range over environments. We write () for the empty 
sequence in general, and the empty environment in particular. 

Terms are specified according to a T -signature, S, which is a set of pairs of 
the form (c : r) assigning types r to constants c, such that each constant symbol 
in S is assigned only one type. The terms are generated by the rules in Fig. 1. For 
notational convenience, we will always omit the superscripts from the injections 
inp (t). As usual we consider terms as identified up to a-equivalence. 

For the remainder of the paper we consider a fixed (though arbitrary) set of 
base types T and signature S. 

Semantics. For the purpose of this paper, a bicartesian closed category is a 
category with finite coproducts, finite products and exponentials (we do not as- 
sume finite limits). Let S be bicartesian closed with chosen structure (0, -I-, 1, 
X, =>) (here we are distinguishing initial object, binary coproduct, terminal ob- 
ject, binary product and exponential). We define canonical finite coproducts by 
=' 0 and lj("+')(Ai, . . . , A„, A„+i) U^"^(Ai, . . . , A„) + A„+i. Canoni- 

cal finite products J([*'"'^(Ai, . . . , An) are defined similarly. We use standard no- 
tation for injections, projections, the universal maps, and the “evaluation” map 
and “Currying” operation associated with the closed structure. 

A T -interpretation in S is a, function from T to objects of S. Under a T- 
interpretation I every type t is interpreted as an object |r]i in the obvious way. 
The interpretation of types extends to environments by the usual definition: 

|xi : Ti, . . . , X„ : Tn}l • • • , \Tn}l) 

A {T , S) -interpretation X in S is a pair {Xt,Xs) where It is a 
T -interpretation, and Is is a function mapping each constant (c : r) £ A to a 
global element Is{c) : 1 — J- |t] in S. Under a (T, A)-interpretation every term 
r \- t : T is interpreted as a generalised element |T h t : r]i : |T] — j- |r] in 5 by: 

|xi : Ti, . . . , x„ : h Xi : nj tt^ 

|T h c : r] Is{c) o {) 

fr h Ax. : n .t : Ti -?■ T 2 ] AIT, X : n Ft: T 2 I 

|T h t{ti) : T 2 ] ev o (|T h t : Ti -j- T 2 ], [T h : n]) 

|Th (ti,...,t„) : x(")('ri,--.,r„)] (|T h : n], . . . , |T h : r„]) 

|T h projj(t) : Ti] TTi o |r h t : x(")(n, . . .,r„)] 

IT h ±TLi{t) : • • •,T„)] Ili o |T h t : n} 

|T h case t of [ini(xi).ti, . . . , in„(x„).t„] : r] = 

[|T, xi : n h : t] , . . . , |T, x„ : h : rj] o 

O (id[r], |T h t : • • - rTn)]) 

where (5^"^ : C x (]J^”^(Ai, . . . , A„)) — ?• x Ai, . . ,,C x A„)) is the dis- 

tributivity isomorphism. 
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xi : n , . . . , x„ : T„ F Xi : Ti 
r, X : Ti F 1 : T2 



1 < i < n 



F h Ax : Ti . t : Ti — ^ T 2 



rhc:r 

F h t : Ti — ^ T2 F F ti : Ti 
F h t(ti) : T2 



F F tl : Tl ... r h tn '■ Tn 
F F {ti,. . . ,tn) : x'"^(ti, . . . ,T„) 



rh,:x<-(n ,.,r„) 

-T ^ : 7-i 



r \-t-.Ti 1 ^ ^ 

F F inp’- -’^"(t) : . . . ,r„) 

r 'r t ■. (n , . . . , T„) r,Xi ■. Ti u ■. T 1 <i <n 

r F case t of [ini(xi).fi, . . . , in„(x„).f„] : t 



Fig. 1. Term syntax 



F I S' F t = t-.T 



F I S F t = f : T 
F I S F t = t : T 



F I S F ti = t2 : T F I S F t2 = ts : r 
FIS F ti =ts ■. T 



Xl.Tl,...,X7i.TTi|tl — ^ ^ tn — .J-! F ti — ti . Ti 



1 < i < n 



F I S F ti = fi : n 
F I S F t{ti) = t{ti) : T2 



r,x : Ti I S, X =n X \- t = t : T2 
FIS F \x ■. T\.t — Xx ■. Tl.t : Tl — ^ T 2 



F I S F (Ax : T\.t){t ) =t[t /x]\T2 F | S F t = Ax : ri.t(x) : ri — ^ T 2 



X 0 FV{t) 



F I S F proj.(ti, . . . ,tn) = ti ■. ■ 



1 < i < n 



F I S F t = (proji(t), . . . ,proj^(t)> : 



F|S F case ini(t) of [ini(xi).fi, . . . , in„(x„).f„] = • ''' 

F, Xi : Ti \ S, ini(xi) = t h U = t ■. t 1 < i <n 
F I S F case t of [ini(xi).ti, . . . , in„(x„).t„] = t \ T 



Fig. 2. Equational rules 
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2 Stable coproducts 



To obtain our characterisation of definability, we shall be interested in bicartesian 
closed categories which enjoy the additional property that coproducts are stable. 

Definition 1 (Stable coproducts). In an arbitrary category, a coproduct 
{Ai — ^ A}i^i is said to be stable if, for every arrow X ^ A and i G I, there 
is a pullback square 

Xi 

^ ^ 4- 

Ai J- A 

and the family {Xi — j- X},gj is also a coproduct. 

Note that, the stability of the empty coproduct amounts to the strictness of 
initial objects, which holds in any cartesian closed category [5, Proposition 8.3]. 

We call a bicartesian closed category stable if it has stable finite coproducts 
(for which it suffices that binary coproducts are stable). Any elementary topos 
provides an example of a stable bicartesian closed category, and so does any 
Heyting algebra (note that the latter example shows that stable coproducts 
need not be disjoint). 

We next present a sound formal system for deriving equalities between terms, 
which is naturally interpreted in stable bicartesian closed categories. The formal 
system is essentially equivalent to the system WBCT of [2] , which was introduced 
as a critical tool in their proof of the completeness of the equational theory of 
bicartesian closed categories relative to the valid equations in Set. The fact that 
this system has a natural interpretation in any stable bicartesian closed category 
has not been observed before. 

The proof system is based on a notion of constrained (type) environment 
implementing equational assumptions about terms of sum type. 



Definition 2 (Constrained environment). The constrained environments 
r I S, consisting of an environment F subject to constraints S', are defined 
inductively by the following rules. 



r\s 

0 10 r,x : T I .::,x X 

T|S Tht:+W(ri,...,r„) 
r, x-.Ti I , ini(x) t 



1 <i <n 



The equational rules manipulate judgements of the form T | S h t = t' : t 
where both F \- t : t and F \- t' : t are terms. The rules are given in Fig. 2. They 
are to be understood as applying only when all the premises and conclusions are 
genuine (well-typed) terms as specified above. 
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Henceforth in this section, let 5 be a stable bicartesian closed category with 
chosen strnctnre. (In addition to the chosen bicartesian closed structure, de- 
scribed earlier, we assume a choice of pullbacks for coproduct morphisms. It 
is not necessary to assume any coherence conditions for these!) Let X be an 
interpretation in S. We interpret constrained environments X | S' as monos 
|X I S] >— ?• |XJ. The definition is by structural induction as follows. 

- (I()I()1>^I()1) = idi. 

- : r I S,jc x] >-?■ |X] X |t]) (|X | S] >-?■ |X]) x id[^j . 

- lr,Xi-.Ti I ini(xi) t] >-?■ |X] x|ri] is the pairing (mopi,gi) 

arising from the following pullback square. 



|X, Xi :Ti I ini(xj) = tj 



-^ir 






( 1 ) 



[rht:-!-'-"-' (ti,...,t„)] 



Ixl 






Note that, by stability, the family 

{pi : |X, Xi : Ti I S, ini(xi) = t] |X | S]}i<i<„ 

from (1) is a coproduct. Observe also that, by definition, for a constrained en- 
vironment X I S of the form xi : ri, . . . , x„ : | xi =r^ xi, . . . , x„ =t„ x„, we 

have that (|X | S] >— ?■ |X]) = id[p] . Thus the interpretation of constrained envi- 
ronments extends that of environments. Furthermore, for any X | S of the form 
(xi : Ti, ... ,Xn : Tn | X =t' t[, . . .,tn =t^ t'^), wB have an equaliser diagram 



IX I SI > . IXI t Kl) (2) 

Proposition 1 (Soundness). //X | S h t = t' : t is derivable then 

(IX I SI 1X1 Irl) = (IX I SI 1X1 J£^ 1^1) . 

The proof is the usual straightforward induction on the structure of derivations, 
using the facts observed above. 

It would be interesting to obtain a completeness converse to Proposition 
1. We do not know if such a result holds, although weaker versions can be 
obtained by not insisting that all exponentials exist in S. Also, following [2, 
Theorem 5.3], one can show that the proof system is sound and complete for 
deriving the equalities between terms in unconstrained environments that are 
valid in an arbitrary bicartesian closed category. These issues will be discussed 
further in the full version of this paper. 
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3 Grothendieck logical relations 

For each object A of the semantic category S we define the notion of a (cate- 
gorical) Kripke relation of varying arity over A. The idea is that the arity of the 
relation varies over a category W (of worlds), as specified by a functor a : W — ^ <S 
(that associates arities to worlds). For each object w of W, the object a{w) is 
considered as an arity in the natural internal sense that a(w)-tuples of A are 
given by morphisms x : a{w) — ^ A in 5. The action of the arity functor a on 
morphisms allows such a tuple x of arity a{w) to be reinterpreted along any 
change of world ip : v w inW to obtain the a(n)-tuple x o a{ip). For notational 
convenience, we write x • ip for x o a{ip) when a is clear from the context. 

Definition 3 (Kripke relation). Given a small category W and a functor 
a : W — ^ iS, a W -Kripke relation R of arity a over an object A of 5 is a family 
{R{w) C 5(a(w), A)}^g|yy| satisfying 

(Monotonicity) For every ip : w v in W and every x : a{v) — ^ A in 5, if 
X G R{v) then x ■ ip € R{w). 

The notion of Kripke relation has a natural formulation in the langnage of 
presheaves. Writing W for the category of presheaves [W°p, Set], any arity func- 
tor a : W — ^ iS induces a horn funetor a * : 5 — ^ W given by (a>i=A)(_) 
<S(a_, A) : W°P — ^ Set. A Kripke relation of arity a over A G 5 is just a sub- 
presheaf R C a* A in W. So, a Kripke relation of arity a is a unary relation on 
a * A in the internal logic of the presheaf topos W. 

Our generalisation of Kripke relation allows us to impose additional structure 
on the category of worlds in the form of a Grothendieek topology. A Grothendieck 
topology is a collection of covers, which are families of morphisms with the same 
codomain, subject to axioms on the collection. A cover {cpi : Wi — ^ w},gj of w 
specifies that information about w can be recovered “locally” by piecing together 
relevant information about each of the wi along pi. The formal definition of a 
Grothendieck topology specifies the properties that the collection of covers must 
satisfy in order for such local determination to behave properly. 

Definition 4 (Basis for a topology). A (basis for a Grothendieck) topology 
K on a category W consists of a family of (basic) covers K{w) C 
for each object w in W, satisfying: 

(Identity) The singleton family {idu,} G K{w). 

(Stability) For every family G K{w) and morphism ip : v -i- w there 

exists a family {7j}jej G K{v) such that, for each G K{v), there exists 
Pi G K{w) such that ip o factors through pi. 

(Transitivity) If {pi : Wi — ?■ wjigj G K(w) and {7ij}jeJi G K(wi) for every 
i G I then the family {pi o jij}i^j j^j^ G K{w). 

A small category together with a Grothendieck topology is called a site. 
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Example 1. In any category the trivial topology, I, consists only of the singleton 
families {id}. 

Example 2. In a category with stable finite coproducts, the finite coproduct topol- 
ogy is given by 

{{ipi : Wi -)■ w}i<i<n I n > 0 and {ipt : Wi -?■ w}i<,<„ is a coproduct}. 

The stability of coproducts ensures that the stability axiom for a Grothendieck 
topology is satisfied. Note that the empty family covers an object if and only if 
the object is (necessarily strict) initial. 

In order to generalise the notion of Kripke relation to take into account a 
Grothendieck topology, we add an extra condition establishing that the relation 
is determined locally in the sense discussed above. 

Definition 5 (Grothendieck relation). Given a site {W,K) and a functor 
a : W— >iS, a (W, K)- Grothendieck relation of arity a over A G 5 is a W-Kripke 
relation {R{w) C 5(a(w), A)}^g|'yy| that further satisfies: 

(Local character) For every cover {tpi : Wi — J- w}i^i £ K(w) and for all maps 
x : a{w) A m. S , X • ipi € R{wi) for alH £ / then x £ R{w). 

In the case of the trivial topology, the local character property is vacuous and 
so any Kripke relation is a Grothendieck relation. 

It is instructive to reformulate the notion of a Grothendieck relation in terms 
of standard concepts from sheaf theory. For notational convenience, given a 
presheaf P in W, for any : t; — ^ w in W and x £ P{w) we write x ■ tp for the 
element P{fi){x) £ P{v). (This generalises our previous notation for presheaves 
a* A to arbitrary presheaves.) 

Definition 6 (Closed subpresheaf). Given a site {W,K) and a presheaf P 
in W, a subpresheaf R C P is said to be K -closed if, for every cover (yj, : Wi — ?■ 
w}igj £ K{w) and for all x £ P{w) it x- ipi £ R{wi) for alH £ / then x £ R{w). 

Hence, a Grothendieck relation R of arity a over A is precisely a KT-closed sub- 
presheaf R C a* A. 

There is another, less elementary, characterisation of Grothendieck relations. 
Writing Sh(W, K) for the full subcategory of W whose objects are sheaves (for 
K) [6], it is well-known (see [6, III. 5 and V.3] for example) that the embed- 
ding ^(W, K) W has a (left-exact) left adjoint, the associated sheaf func- 
tor a : W — J- Sh(W, K). For every presheaf P, the closed subpresheaves of P 
are in natural bijective correspondence with the subsheaves of a(P) [6]. Thus, a 
Grothendieck relation of arity a over A is just a subsheaf of a(a * A) in Sh(W, K). 
In particular, when the presheaf a * A is already a sheaf for K, a Grothendieck 
relation over A is just a subsheaf of a* A. However, we shall not assume in 
general that a * A is a sheaf. 

We define a category of Grothendieck relations over S whose morphisms are 
given by those morphisms of S that preserve the relations. 
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Definition 7. Given a site (W, K) and an arity functor a : W— J-iS: 

1. G(W, K, a) is the category with 

objects: given by pairs (^, R) consisting of an object A G S and a (W, K)- 
Grothendieck relation R of arity a over A, 

arrows {A, R) — J- {B, S): given by arrows f : A^ B in S such that, 

for all X : a{w) A, x G R{w) implies f o x G S{w) , (3) 

identity and composition: as in S. 

2. We write U : G(W, K,a) for the forgetful functor mapping (A, R) to A. 

Proposition 2. For S bicartesian closed, the category G{W , K , a) is bicartesian 
closed and the forgetful functor U : G(W, K,a) ^ S is faithful, and preserves 
and creates the bicartesian closed structure. 

Proof Finite coproducts : = (Un^^iVn-^") where 

(a{w) An) G (V„ Rn){w) iffdet there exists a cover {tp, : Wi -?• wjigj G 

K{w) such that for all i G I, there exist n, with 1 < Ui < n and {a{wi) — ^ 
Am) G Rm{wi) such that x ■ pi = o Xi : a{wi) -?• U„ An- 

Finite products: Uni^n, Rn) = (Tin Rn) where {a{w) Jin ^n) & 

(Tin Rn){w) iffdef for all n, (a{w) > An) G Rn{w) . 

Exponentials: {A, R) =P {B, S) = (A =P B, S^) where (a{w) — ^ {A =P B)) G 
S^{w) iffdef for all f/i : t; — ^ w and all {a{v) A) G R{v), we have 

{a{v) [A ^ B) X A > B) G S{v). □ 

Although straightforward, the proposition above is the categorical analogue 
of the fundamental lemma of logical relations [7] , which states that any syntac- 
tically definable morphism in S automatically preserves relations. To formulate 
this result explicitly, we require further definitions. 

Definitions. Given a site (W, AT), an arity functor a : W — ?■ 5 and a 
Grothendieck relation R of arity a over A G S, we say that a global element 
x : 1 — ^ A in iS satisfies R if, for all w G | W |, it holds that [a{w) — ^ 1 A) G 

R{w). 

Definition 9 (Grothendieck logical relation). Let X be a (T, Aj-interpre- 
tation in a bicartesian closed category S. A Grothendieck logical relation for B 
under I is given by: a site (W, AT); an arity functor a : W S; and, a family 
{At}tgt such that: 

1. each i?T is a Grothendieck relation of arity a over Xj’(T), and 

2. for all {c : t) G B, it holds that Xs{c) satisfies Rr, where we write Rr {Rr) 
for the Grothendieck relation on |t] (|X]) determined by the bicartesian 
closed structure on G(W, K, a) according to the structure of r (X). 
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Lemma 1 (Fundamental Lemma of GLRs). Let S be a bicartesian closed 
category and let X be a {T , SJ) -interpretation in S. For any Grothendieck log- 
ical relation ((W, AT), a, {RtItgt) for E under X, the following two eguivalent 
statements hold. 

1. For every term F \- t •. t, the interpretation |F h t : r] an arrow 

inG{W,K,a). 

2. For every term h t : t, the global element |h t : r] : 1 — ^ |r] satisfies Rr- 

Our motivation for generalising Kripke relations to Grothendieck relation is 
to obtain the converse: any global element of S that satisfies all Grothendieck 
logical relations is syntactically definable. At present we have such a result only 
in the special case that S is stable. This is the content of the theorem below, 
which is the principal result of the paper. 

Theorem 1 (Definability). Suppose S is a stable bicartesian closed category 
and X is a {T, S) -interpretation in S. Then there exists a Grothendieck logical 
relation ((W, AT), a, {RtItgt) for E under X, such that every global element of 
|t] that satisfies Rr is definable by a closed term of type r. 

4 Proof of Definability 

In this section we prove Theorem 1. Accordingly, suppose 5 is a stable bicartesian 
closed category (with chosen structure) and I is a ( T, Z')-interpretation in S. We 
construct a Grothendieck logical relation, satisfying the property of Theorem 1, 
based on a syntactic site (W, K) defined below. The construction has similarities 
with the syntactic sites used in recent approaches to obtaining intuitionistic 
completeness results for intuitionistic logic, see e.g. [9]. 

Definition 10 (Syntactic site). 

1. The category W has 

objects: given by constrained environments as in Definition 2, 

arrows F' \ S' -i- F \ S: given by renamings (=^ monotone injections) 

p : dom(T') — ?• dom(T''), where dom(xi : ti, . . . , x„ : Tn) (xi < • • • < x„), 
that preserve typing: 



X : T € F => p(x) : T € F' , 

and preserve constraints: 

t =r t' G S' => t[p] =r t'[p] G s' 



identities and composition: as for functions. 
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2. The covers in K are defined inductively by the following rules: 

{iddom(r)} G K{r I S) 



{pj}U{p:r'\S'^r\S} g Kjr\S) Tht:+W(ri,...,r„) 
{pj} u {p ° '-fc • I “fc -T I ^}i<fc<„ e K(r' I 

where | = (T', x'^, : Tk \ S', infc(x'^) = t) for any choice of fresh 

variables x'j^, . . . , x^ and the renamings Lk '■ dom(T'') — ^ dom(T', x'^. : Tk) are 
the inclusion functions. 

It follows that any cover {pj} consists entirely of inclusion functions (which 
is why | can be defined using t rather than t[p\). Observe also that a 
constrained environment T | S' is covered by the empty family if and only if 
there exists a term F \- t : 0. 

The above definition provides, for every F \- t : . . .,Tn), sub-basic 

covers of the form 



{ (T, Xi : Ti I ini(xi) = t) — > (F \ ^) }i<i<n 

keeping the morphisms as simple a possible whilst allowing the axioms of a 
Grothendieck topology to hold. For instance, the stability axiom holds because 
for any inclusion 

Li : {F, Xi : Ti I S, ini(xi) =t) — J- T | S 

(as present in the non-trivial covers) and any renaming p : F' \ S' -i- F \ S , we 
have a commuting diagram: 



{F', x' :Ti I ini(x') = t[p]) — ^ > {F, Xi : n \ ini(xi) = t) 



(r 






for any x' not in F' . Observe that the possibility of morphisms renaming variables 
is crucial here, as the variable x^ may already appear in the environment F' . Thus 
the stability of covers would not hold if we only allowed inclusions as morphisms 
in W. Indeed, the category 'W is not a preorder. 

Definition 11 (Standard arity functor). The standard arity functor s : 
W — > iS sends any constrained environment T | S' to its interpretation [T | S] , 
and any renaming p : F' \ S' F \ S to the unique map s{p), given by the 
universal property of the equaliser IT | S] >— ?■ |T] of (2) in Section 2, such that 
the square below commutes. 



ir' I s'l > . iT'i 



s(p) 



i'^px )xer 



[T I SI > . iFj 



(4) 
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For a cover {tj : {r,Xi : Ti \ S, ini(xi) = t) — j- F | S’}i<,<„ in K it follows, 
from (1) and the stability of coproducts, that the family {s(ti)}i<i<n is a 
coproduct in S. By induction, this property extends to arbitrary covers in K and 
hence we have the following consequence. 

Proposition 3. For every cover { pi \ Fi \ Si ^ F \ E } , the family { s(pi) : 
iFi I S'i] — J- |F I S'] } is a coproduct. 



Corollary 1. For all A € | >S |, the presheaf s* A inW is a sheaf for K. 

The key lemma for establishing the definability result follows. 

Lemma 2. For every cover { | > F | S } and every family of terms 

{ Fi h : r } there exists a term F h t : r such that 

1. Fi \ Ei'r ti = t : T. 

2. If F \- t' : T is such that Fi \ Si \- F = f : t for all i, then F \ E h t' = t : t. 

3. The diagram below commutes for all i 



iri 



Si] — 






-J- T 



iffx = (|F I .= ] >-?■ |F| > |t|). 

Proof. (l)-(2) To a derivation F of a cover { p, : Fj | — ?• F | S } and terms 

{ Fi \- ti : T } we associate a term F h F{D, {Fj h ti : r}) : t by induction on 
the structure of the derivation as follows. 

- T({iddom(r)}, {F h t : r}) t. 

— For r the rule 

U {p O tfc}l<fc<n 

where lu : (F, Xfc : rj, | S, infc(xfc) = t) -?■ F | S, we set 
T{D.r, {Fj h tj : t}j^j U {F, Xk : Tk \~ tk : r}i<fc<„) 

f]pf 

= T{D, {Fj h tj : r}jgj U {F h case t of [ini(xi).ti, . . . , in„(x„).t„] : r}). 

That the term T{D, {Fj h ti : r}) has the desired properties can be shown by 
induction using the equational rules. 

(3) By Proposition 3, because 



(iFj I Sj| [Fj| 1^1) 

= (IFj I Sj| [Fj| > Ir| 

= (IFj I Sj| IFj] > IF] 

= (IF, I S,| IF I S| IF] - 



[rht:r] 

^ 



by Proposition 1 



[rht:r] 



>H) , by (4) 
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Proposition 4. LetS be a stable bicartesian closed category (with chosen struc- 
ture) and let Z be a {T, S) -interpretation in S. Then 

1. for 



7^T(P I S) ‘'=1' { IP I HI 1^1 M } , (5) 

((W,K),s,{7^T} Tgr) is a Grothendieck logical relation for S under X; 

2. for every type t, 

Proof. (1) Follows from (2) below. 

(2) By induction on the structure of r. 
r^: By (5). 

T = Ti -j-T2 : 

(D) Let m =J|F | H] |P]) and m' = {{P^ \ Z'j >-?■ |P']). 

For p : P' \ jiz' ^ P \ and x £ P-r^P' \ ^') we have, by induction, that 
X = |F' h t' : Ti] om' for some t' . Thus, to establish that IP h t : ti — ?• T 2 ] om 
is in P.j.^_^^{P I H) we need show that evo (|P h t : n — ?• T 2 ] omos{p), |P' h 
t' : n] o m') is in Pr 2 iP' I H"'). 

Using that m o s{p) = (7Tpx)xer ° m! and that |P h t : ri — J- T 2 ] o (7Tpx)xer = 
|P' h t[p] : n — J- T 2 ] one sees that ev o (|P h t : ti — ?• T 2 ] o m o s{p), |P' h t' : 
Til ° ^ • "^ 2 ! o m' and, by induction, we are done. 

(C) Let 



/ £ I H) . ( 6 ) 

Recall that (|P, x : ti | H, x x] >— ^ |P] x |ti]) = m x id[x] where 
m = (|P I H] >— ?• |P]). Thus, for t : (P, x : ti | H, x =r^ x) — ?• P | H the 
inclusion, we have that s(t) = tti : |P | H] x |ti] — J- |P | H]. 

Since, by induction, 7 T 2 = |P, x : ti h x : ri] o (m x id[xi]) • I-^ I ■^1 ^ Id] — s- 
|ti] is in Pri (P, X : Ti I H, X x) it follows from ( 6 ) that ev o (/ o tti, ^2) is 
in Pt2 X : Ti I H, X =t^ x). So, again by induction, evo (/ otti, 712) = |P, x : 
Ti \- t : T2]o(mxid[xi]) for some t, and hence / = |P h Ax : Ti.t : ti — J- T2]om. 

T = x(")(ti, . . .,T„): 

(D) Let m = (|P | H] [P]). 

By induction, for 1 < i < n, tt, o |P h t ; x(”)(ti, . . .,t„)] o m = |P b 
projj(t) : Tj] o m is in P^iP \ H). Thus, |P h t : x(")(ti, . . . , t„)] o m is in 

^x(")(ri,...,r„)(-^ I ^ 

(C) Let X £ I “)■ Then, for 1 < z < n, we have that 

TTi o X G PriiP I H). By induction, tt, o a: = |P h : Tj] o m, where 
m = (|P I H] >— ?• |P]), for some ti (1 < z < n). Thus, a; = |P h (ti, . . . , t„) : 
x(")(ti, . . . ,T„)1 o m. 

T = • ■■,Tn): 
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(D) Let m = (|/^ I >— j- irj) and, for x, ^ L' (1 < i < n), let = ([r', x, : 

Ti I in;(xi) .„) tj >-^ |r] X |ri]). 

By induction, we have that 7120771 , = l-T, x^ : h x^ : r^J o rrii is in TZ^ {F, x^ : 

Ti I S, ini(xi) t) for all i. 

Consider the cover 



{ {r,Xi : Ti I ^,in;(xj) t) > F \ jt, }i<j<„ 

Then since, for 1 < 7 < n, the diagram below commutes. 




it follows that IT h t : . . . , r„)] o m is in | S'). 

(C) If a: G I S) then there exists a cover { pi : T | — ?• T | 

S } such that for all i, using the induction hypothesis, there exist T h t, : 
with 1 < rij < n such that for all i 



l^i 



S(Pi) 






[rihin„^ (ri,...,T„)] 






Hence, by Lemma 2, we are done. 



□ 

Corollary 2. For the Grothendieck logical relation ((W, K), s, {T^tItst), a 
global element of |t] in S satisfies TZr if and only if it is definable by a closed 
term of type r. 

5 Further results 

In the full version of this paper, we shall show that Theorem 1 can be strength- 
ened by requiring that a “universal” site (W, K) can be found in which W is 
a partial order. This strengthening could be proved directly by making clumsy 
modifications to the construction of the syntactic site (W, K) given in Section 
4. It is preferable, however, to derive the result by means of an elegant general 
construction. As in the well-known construction of the Diaconescu cover of a 
Grothendieck topos [6, IX. 9], any site (W, K) determines a related site D(W, K) 
over a poset D(W) together with a surjective functor dw : D(W) — ?■ (W). We 
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have proved that, for any arity functor a : W — ?■ 5 (for S bicartesian closed), 
there is an associated full and faithful bicartesian closed functor G(W, K, a) 
G(D(W), D(itT), a dw)- This means that our definability result for the syntactic 
site (W, K) yields the desired poset-based definability result for D(W, K). 

Other aspects of the paper also benefit from a more abstract categorical 
treatment. For example, the construction of the category G(W, K, a) is an ex- 
ample of the subscone variant of glueing [1], in which the objects are restricted 
to /f-closed monos (in W). Essentially this amounts to glueing relative to a fac- 
torization system. The analysis of the structure on G(W, K, a) can be performed 
entirely at this more general level. 

Finally, it is also possible to give syntax-free account of definability. For any 
bicartesian closed functor E : B — ?■ 5 where B is small and S is stable, there 
exists a site (W, K) (with W a poset) and an arity functor a : W — ?• 5 such that 
F factors asUG where G : B — j- G(W, /L, a) is a full bicartesian closed functor. 
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Abstract. We introduce an explicitly typed A/r-calculus of call- by- value 
as a short-hand for the 2nd order Church-style. Our motivation comes 
from the observation that in Curry-style polymorphic calculi, control op- 
erators such as callcc or /r-operators cannot, in general, treat the terms 
placed on the control operator’s left. Following the continuation seman- 
tics, we also discuss the notion of values in classical system, and propose 
an extended form of values. It is shown that the CPS-translation is sound 
with respect to A2 (2nd order A-calculus). Next, we provide an explicitly 
and an implicitly typed Damas-Milner systems with /r-operators. Finally, 
we give a brief comparison with standard ML plus callcc, and discuss 
a natural way to avoid the unsoundness of ML with callcc. 



1 Introduction 

On the basis of the Curry- Howard-De Bruijn isomorphism [19], proof reductions 
can be regarded as computational rules, and the algorithmic contents of proofs 
can be used to obtain correct programs that satisfy logical specifications. The 
computational meaning of proofs has been investigated in a wide range of fields, 
including not only intuitionistic logic but also classical logic and modal logic 
[21]. In the area of classical logic, there have been a number of noteworthy inves- 
tigations including Griffin[12], Murthy[26], Parigot[30], Berardi&Barbanera[4], 
Rehof&S0rensen[35], de Groote[8] and Ong[28j. 

As far as we know, however, polymorphic call-by-value calculus is less studied 
from the viewpoint of classical logic. In this paper, we introduce an explicitly 
typed A^-calculus of call-by- value as a short-hand for the 2nd order Church-style. 
Our motivation comes from the observation that in Curry-style polymorphic cal- 
culi, control operators such as callcc or ^-operators cannot, in general, treat 
the terms placed on the control operator’s left. Following the continuation se- 
mantics, we also discuss the notion of values in classical system, and propose an 
extended form of values. It is shown that the CPS-translation is sound with re- 
spect to A2 (System F of Girard, Polymorphic calculus of Reynolds). We observe 
that the inverse of the soundness does not hold, and that adding _L-reduction in 
Ong&Stewart [29] breaks down the soundness of the CPS-translation. As one of 
by-products, it can be obtained that the 2nd order call-by-value A/r-calculus has 
the strong normalization property. Next, we provide an explicitly and an implic- 
itly typed Damas-Milner systems with ^-operators, and compare those from a 
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viewpoint of polymorphic control operators under call-by-value. Finally, we give 
a brief comparison with standard ML plus callcc, and discuss a natural way to 
avoid the unsoundness of ML with callcc [14]. 

2 Curry-Style vs. Church-Style 

With respect to the simply typed lambda calculus A^, there is a forgetful map 
from A^ a la Church to a la Curry, and conversely, well-typed terms in A^-Curry 
can be lifted to well-typed terms in A^-Church [3]. In the case of ML [25], there 
also exists implicitly typed and explicitly typed systems, and they are essentially 
equivalent [17]. Hence, the implicitly typed system serves as a short-hand for the 
explicitly typed system. 

However, the equivalence between Curry-style and Church-style does not 
always hold for complex systems. Parigot [30] introduced Ap,-calculus in Curry- 
style as 2nd order classical logic although A/r-calculus a la Church was also 
given [32]. An intrinsically classical reduction is called the structural reduction 
that is a kind of permutative proof reductions in Prawitz [34] or the so-called 
commutative cut. The A/r-calculus of Parigot is now known as a call- by-name 
system. If we construct a call-by-value A^-calculus, then the Curry-style cannot 
work for a consistent system. In a call-by-value system of Xfi, we can adopt a 
certain permutative reduction [30,29], called the symmetric structural reduction, 
to manage the terms placed on the ^-operator’s left. However, the symmetric 
structural proof reduction, in general, violates the subject reduction property in 
the Curry-style. Consider the following figures; 



Ml : (Ti 



r]Mi 






M : 

fxa.M : (Ti 

V : (Vt.CTi) (72 fia.M : Vt.ai 
V {fia.M) : (T2 



' (VI)* 

V : (Vt.cTi) ^ (T2 Ml : Wt.ai ' 

VMi : (72 
[a]{VMi):±;a!^ 

M[V ^ a] : _L; cr^ 

[> iia.M[V => a] : (72 



where M[V => a] denotes a term obtained by replacing each subterm of the form 
[a]N in M with [a]{VN). Here, when M is in the form of [a](Aa:i • • -Xn-M') and 
the type ai depends on type of some Xi (I < i < n), the eigenvariable condition 
of (V/)* is broken down. For instance, 

Xx.{Xf.{XxiX 2 .X 2 ){fx){f{Xx.x))) {^j.a.[a]{Xy.^j,f3.[a]{Xv.y))) 
has type t ^ t ^ t. But this term is reduced to Xx.x by the use of the sym- 
metric structural reduction. Let P = Xf.{XxiX 2 -X 2 ){fx){f{Xx.x)) and Q = 
ya.[a]{Xy.yf3.[a]{Xv.y)). Then similarly 

Xg.{Xx.g\pQx)){Xx.g{PQx)) : (Vt'.(P ^ t')) t ^ t 
is reduced to Xg.[Xx.g(xx))[Xx.g(xx)). On the other hand, the case ya.M of 
ya.[a\{Xv.yP.[a]{Xx.x)) is a special case where the symmetric structural reduc- 
tion is applicable even to polymorphic ya.M , and then, for example, 

Xx.{{Xf.{XxiX 2 -X 2 ){fx){f{Xx.x))) [yLa.[a][Xv.yL(3.[a][Xx.x))) x) : t ^ t 



164 Ken-etsu Fujita 



is reduced to Xx.x. This kind of phenomenon was first discovered by Harper 
& Lillibridge [14] as a counterexample for ML with callcc. From the view- 
point of classical proof reductions, the fatal defect can be explained such that 
in A^-calculus a la Curry (2nd order classical logic), an application of the sym- 
metric structural reduction, in general, breaks down the eigenvariable condi- 
tion of polymorphic generalization, and then the terms placed on the polymor- 
phic /r-operator’s left cannot be managed by the symmetric structural reduc- 
tion. In terms of explicit polymorphism, in other words, an evaluation under 
H-abstractions cannot be allowed without restricting At.M to At.V [15]. Even 
in the Damas-Milner style [6] (implicitly typed ML) plus control operators, a 
similar defect still happens under a ML-like call-by-value [15,16]. 

To avoid such a problem in implicitly typed ML with control operators, one 
can adopt an ry-like expansion for polymorphic control operators [11], such that 
let f = fia.Mi in M 2 t> let f = \x.^a.Mi[a 4= x] in M 2 , 
where each subterm in the form of [a](Ay.t(;) in M\ is replaced with [a\{Xy.w)x. 
Another natural way to avoid the problem in call-by- value Xy is to take an ex- 
plicitly typed system. In the above example, the term Q is a polymorphic term, 
and this type becomes t). Here, the explicitly typed term as a form of a 

value, V = At.Q is used for /3^-reductions, such that 

Xx.{Xf.{XxiX 2 'X 2 ){ftx){f{t t){Xx.x))) V : t ^ t ^ t 
is now reduced to Xvx.x. In the next section, under the call-by-value strategy 
we introduce an explicitly typed A/r-calculus especially for polymorphic terms, 
which is regarded as a short-hand for the complete Church-style. To obtain the 
results in this paper, it is enough to consider a system such that At.M is rep- 
resented simply by AM such as lifting and Ma by M(), and {AM)Q is reduced 
to M. A similar observation is given for let-polymorphism in Leroy [23]. The 
annotations A and () for polymorphic terms play a role of choosing an appro- 
priate computation under call-by- value. However, from the viewpoint of logic, a 
call-by-value A^-calculus with explicit polymorphism, called a domain-free sys- 
tem in Barthe&Sprensen [5], is considered here rather than such a simplified 
polymorphism using the annotations or implicit polymorphism by name [23] . 

On the other hand, Harper&Lillibridge [15] extensively studied explicit poly- 
morphism and CPS-conversion for with callcc. The call-by-value system 
Xvy introduced in section 3 can be regarded as a meaningful simplification of 
the 2nd order fragment of their system. Moreover, the Damas-Milner style XfXmi 
introduced in section 5 has no restriction for establishing the subject reduction 
and Meyer- Wand typing properties, as compared with those of [15,16]. 

3 Explicitly Typed A^/i-Calculus 

Following the observation in the previous section, we introduce an explicitly 
typed A^-calculus of call-by-value especially for polymorphic terms, called a 
domain- free system [5] , which is regarded as a short- hand for the Church-style. 

The types a are defined from type variables t and a type constant T. We 
have a set of (A-)variables x, y, z,- ■ •, and a set of names (that will be called 
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continuation variables later) a, /3, • • •. The type assumptions are defined as usual, 
and A is used for a set of name-indexed types. The terms M are defined as 
variables, A- or yl-abstractions, applications, ^-abstractions, or named terms. 
From a logical viewpoint, the typing rule {-LE) for fxa.M is regarded as a classical 
inference rule such that infer E, ~^A h fia.M : a from F, -iZ\, a : h M : _L. The 

typing rule (-L/) for \a]M can be considered as a special case of _L-introduction 
by the use of E). On the basis of the continuation semantics in the next 
section, a name can be interpreted as a continuation variable. In the rule (-LI), 
the continuation variable a appears only in the function-position, but not in 
the argument-position. Here, the negative assumption a : corresponding to 

(t“ of (-L/) can be discharged only by {EE). This style of proofs consisting of 
the special case of _L-introduction is called a regular proof in Andou [1]. The 
notion of values is introduced below as an extended form; the class of values is 
closed under both value-substitutions induced by {f3y ) and left and right context- 
replacements induced by {fJ,i^r), as defined later. The definition of the reduction 
rules is given below under call-by-value. In particular, the classical reductions 
{fJ-i,r,t) below can be explained as a logical permutative reduction in the sense of 
Prawitz [34] and Andou [Ij. Here, in the reduction of {fj,a.M)Ni> fia.M[a <J= A^j, 
since both type of fia.M and type of each subterm M' with the form [a]M' in M 
can be considered as members of the segments ending with the type of fia.M , 
the application of E,\/E) is shifted up to each occurrence M' , and then 
M[y A^j (each [a]M' is replaced with [a]{M'N)) is obtained. This reduction 
is also called a structural reduction in Parigot [30]. On the other hand, since a 
term of the form fia.M is not regarded as a value, {\x.Mi){fia.M 2 ) will not be a 
/3-contractum, but will be a contractum of {fi{) below, which can be considered 
as a symmetric structural reduction. FV{M) stands for the set of free variables 
in M, and FN{M) for the set of free names in M. 

XvF- 

Types a ::= t\E\a^a \ 'it. a 

Type Assumptions F ::= {) \ x:a,F A ::= { ) | a°‘,A 

Terms M ::= x \ Xx.M \ MM \ At.M \ Ma \ fia.M \ [a]M 
Type Assignment 

r h X : F{x);A 



F h Ml : ai ^ ( 72 ', A F h M2 : a i', A 
F h Ml M2 : a 2 ',A 



H E) 



F,x:ai\- M : a2', A 
F h Xx.M : (Ti ^ (T2; A 



Fh M '. Vt.CTi; A 
F h Mg 2 : ( 7 i[t := 02]', A 



{iE) 



T h M : cr; A 

TVALMTii^^ 



{VI)* 



F\- M -.a-, A 
F h [a]M : ±; A,cr“ 



{El) 



T h M : _L; A,o-“ 
F h fia.M : it; A 



{EE) 



where (VI)* denotes the eigenvariable condition. 
Values V X \ Xx.M \ At.M \ [a\M 
Term reductions 
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{f 3 y) {Xx.M)V [> M[x:=V]-, {q^) \x.Vx \> V itx^FV{V); 

(Pt) {At.M)a > M[t := a]', {fit) {fia.M)a > fia.M[a ^ a]', 

Ifir) {fia.Mi)M 2 o fia.Mi[a <= M2]; {fii) V{fia.M) t> fia.M[V =►«]; 

(rn) [a]{fiP.V) > V[P := a]; (fi-q) fia.[a]M t> M iia^FN{M), 

where the term M[a ^ N] denotes a term obtained by M replacing each subterm 
of the form [a]M' in M with [a]{M'N). That is, the terms (context) placed on 
fia.M's right is replaced in an argument position of M' in \a\M' . In turn, the 
term M\V => a] denotes a term obtained by M replacing each subterm of the 
form [a]M' in M with [a\{VM'). 

Values are reduced to simpler values by {qv), eta- reduction and (rn), renam- 
ing rules, and those rules are restricted to values, whose condition is necessary 
to establish a sound CPS-translation in section 4. We note that as observed in 
Ong&Stewart [29], there are closed normal forms which are not values, called 
canonical forms, e.g., fia.[a]{\x.fip.[a]{\v.x)). Those terms can be reduced by 
(S'a) in [31] or in [29], but in this case, {fia.M){fiP.N) is reduced in the 
two ways (not confluent). Note also that the failure of operational extensionality 
for /rPCF“ is demonstrated in [29]. In fact, Quh becomes admissible under the 
eta-reduction and {fir)- Here, however a term in the form of fia.M is not a value, 
and we have the value- restricted {qy) rather than the eta- reduction itself. 

We denote i>^ by the one-step reduction induced by >. We write for the 
reflexive, symmetric, transitive closure of i>^. The notations such as t>q, , 

=i 3 ri, etc. are defined as usual, and i>^ denotes i-step ,0-reductions (i > 0). 

Proposition 1 (Subject reduction property for Xvfi)- If we have F h Mi 
: a; A and Mi c>p M2 in Xyfi, then F h M2 : (t; A in Xyfi- 

Proof. By induction on the derivation of Mi \>^M2- Note that in Ay^, typing 
rules are uniquely determined depending on the shape of terms. □ 

The well-known type erasure M° is defined as follows: 

{x)° = x; {Xx.M)° = Xx.M°; {MiM2)° = MfMif; 

{At.M)°=M°; {Ma)°=M°; {fia.M)° = fia.M°; {[a]M)° = [a]M° . 

Then it can be seen that the typing relation is preserved between Xyfi and 
implicitly typed Xfi: 

(i) If we have F \- M : a; A in. Xyfi, then F h M° : a; A in implicit Xfi. 

(ii) If we have F h Mi •. a; A in implicit A/r, then there exists M2 such that 
Ml = M2 and F h M 2 : a; A in Xvfi- 

The set of types inhabited by terms coincides between implicit Xfi and Xvfi- 
However, erasing type information makes much more reductions possible, such 
as ry-reduction of the erasure in Mitchell [24], and the subject reduction property 
for M° is broken down, for example, a counterexample in section 2. 

4 CPS-Translation for AvM-Calculus 

To provide the CPS-translation, we define a simplified version of A2 a la Church 
as the intuitionistic fragment of Xyfi (This system of A2 is the so-called domain- 
free system [5]). Here, besides A-variables x,y,z, - ■ ■ used in A-calculus as usual. 
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A2 has the distinguished variables a, (3, - • • called continuation variables. Reduc- 
tion rules in A2 are also defined as usual under call-by-name. The term with the 
form [a]M (value) will be interpreted as Xk.k{Ma), where the representation of 
Ma is consumed by the continuation k, such as the case of A-abstraction. The 
translation from Ay/r to A2, with an auxiliary function \[' for values, comes from 
Plotkin [33]. 

Definition 1 (CPS-translation). x = Xk.kx; Xx.M = Xk.k{Xx.M); 
M 1 M 2 = Xk.Mi{Xm.M 2 {Xn.mnk)) ; At.M = Xk.k(At.M); 

Ala = Xk.M[Xm.ma'^k); ^a.M = Xa.M{Xx.x); [a]M = Xk.k{Ma). 

If (x) = x; If (Ax.M) = Xx.M; 'P{At.M) = At.M; !f ([a]M) = Ma. 

= t; {ai a 2 Y = a\ ^ “’“’O'l; (^t.aY = Wt.-<-<a‘‘. 

According to the continuation semantics of Meyer&Wand [27], our definition of 
the CPS-translation can be read as follows: If we have a variable x, then the 
value X is passed on to the continuation k. In the case of a A- or A-abstraction, 
a certain function that will take two arguments is passed on to the continuation 
k. If we have a term with a continuation variable a, then a certain function with 
the argument a is passed on to the continuation k, where the variable a will be 
substituted by a continuation. Here, it would be natural that a value is regarded 
as the term that is mapped by !f to some term consumed by the continuation 
fc, since the continuation is the context in which a term is evaluated and then 
to which the value is sent. Our notion of values as an extended form is derived 
following this observation. 

Lemma 1. Let = denote the definitional equality of the CPS-translation. 

(i) For any term M where k 0 FV{M), Xk.Mk M . 

(ii) For any value Y ,V = Xk.kFfV). 

(Hi) For any term M , value V , and type a, we have M[x := V] = M[x := \L{V)] 
and M[t := a\ = M\t := a^]. 

The above lemma can be proved by straightforward induction. On the basis of 
the CPS-translation, the left and right context-replacements M[a <^= Mi] and 
M\V a] can be interpreted as the following substitutions for continuation 
variables, respectively. 

Lemma 2. Let M contain i free occurrences of [a] where i > 0. Then we have 
that M[a <= Mi] M[a := Xm.Mi{Xn.mna)] and M[a <= it] i>^ M[a := 
Xm.ma^a] . 

Proof. By induction on the structure of M. □ 

Lemma 3. For any term M and value V , M\V => a] M[a := Xn.'F{V)na], 
where M contains i free occurrences of [a] . 

Proof. By induction on the structure of M. □ 

Lemma 4. If we have M N in XvH, then M N in A2. 
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Proof. By induction on the derivation of M . □ 

Now, we have confirmed the soundness of the translation in the sense that equiva- 
lent Ay^-terms are translated into equivalent A2-terms. This property essentially 
holds for untyped terms. 

Proposition 2 (Soundness of the CPS-translation). If we have M N 
in Xvh', then then M N in A2. 

The translation logically establishes the double negation translation of 
Kuroda. For a set of name-indexed formulae A, we define ((t“, Z\)^ as a : A‘>. 

Proposition 3. If Ay/r has P \- M : o", A, then A2 has P^, A'^ \- M : -i-icr^. 

Proof. By induction on the derivation. □ 

From the consistency of A2, it is derived that Ay/r is consistent in the sense that 
there is no closed term M such that h M : T; in Ay/r. 

With respect to Proposition 2, it is known that the implication is, in general, 
not reversible. The counterexample in [33] is not well-typed. Even though we 
consider well-typed Ay/r-terms, the completeness does not hold for Ay/r: If we 
have Ml = {Xx.x){xy) and M 2 = xy in Ay/r, then Mi xy =/3rj M 2 in A2, 
but Ml 7 ^^ M 2 in Xvy. Note that in this counterexample, if one excluded 77 - 
reduction, then Ml M 2 . Following Hofmann [18], the rewriting rules of Ay 77 
are weak from the viewpoint of the semantics, since Ident, (Xx.x)M = M is 
necessary in this case. 

According to Ong&Stewart [29] , their call- by- value A/x-calculus has more re- 
duction rules with the help of type annotation; T-reduction: 
y(3'^ .M^ ifcr^T. 

Here, assume that we have Ni = (Aa;.x)(x([a] 7 /)) and N 2 = x{[a]y), such that 
X : ± ^ a,y : a \- Ni : a; a°‘ {i = 1,2) where tr ^ T in Ay 77 . Then Ni and N2 
are reduced to = yl3.[a\y by the use of T-reduction. Now, we have Ni 
x{ay) =ffn N 2 in A2, but N 3 =/j Xp.ay in A2. This example means that the 
soundness of the CPS-translation is broken down for Ay/r with T-reduction, even 
in the absence of 77 -reduction. However, on the basis of the correspondence be- 
tween / 7 -operator and Felleisen’s C-operator [9] such that ya.M = C{Xa.M) and 
[a]M = aM, one obtains that x{ay) =c {Xx.A{x)){ay) =c A[ay) =c C{Xp.ay) 
in the equational theory Ac [18]. From the naive observation, Hofmann’s cate- 
gorical models for Ac would also work for an equational version of call-by- value 
A/ 7 -calculus. 

Let OjSrjr be one-step i>^ consisting of (/3„), (Pt), iVv), or (rn). Let i>si 

be one-step consisting of (/ 7 /), {y,r), or (/Xt). Following the proof of lemma 2, 
if Ml i>/3rjr M 2 , then Mi M 2 . On the one hand, each i>si-step from M does not 
simply induce /3-steps from M, i.e., /3-conversion may be used. To demonstrate 
the strong normalization for well- typed Ay / 7 -terms, it is enough to construct 
an infinite reduction path from MUM has an infinite reduction path. In the 
case of >si, following lemmata 2 and 3, the CPS-translated terms without the 
/3-conversion still have enough P-, 77 -redexes to construct an infinite reduction. 
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For instance, in the case Mi of {V{iJ.a.M))N, we have Mi >st M2 \>st M^, where 
M2 = [^ia.M\V a])N and M3 = /j,a.M[V a] [a <1= A^]. Here, Mi can be 
reduced as follows: 

Ml N2 = Xk.{\a.Mid9i){Xm.N {Xn.mnk)) N3 = Xa.Mid9i02, 
where id = Xx.x, 9i = [a := Xn.'S'(y)na], and 02 = [a := Xm.N [Xn.mna)]. We 
now have M2 i>^ N2 and M3 c>^ N^. Let [N/a] be either [A^ a] or [a <1= A^]. 

Lemma 5. (i) If Mi t>st M2 >st M3, then Mi c>^ N2 c>^ for some X2 -terms N2 
and A3 such that M2 i>^ N2 and M3 A3 . 

(ii) Leta ^ FN{N). If Mi[N/a]>i3rirM2, then Mi9it>'^^N202 for some Xvti-term 
N2 and substitutions 9i and 02 such that Mi[A/a] c>^ Midi and M2 i>^ N202- 

Proof. By induction on the derivations of and \>prjr- 

Lemma 6. If there exits an infinite \>fj^-reduction path from Xvt^-term M , then 
M also has an infinite -reduction path. 

Proof. From Lemma 5 and the proof of Lemma 4. □ 

From Proposition 3, Lemma 6 and the fact that A2 is strongly normalizing [5], 
the strong normalization property for Ay/r can be obtained. 

Proposition 4 (Strong Normalization Property for Ay/r). Any well-typed 
XvfJ--term is strongly normalizable. 

It is observed [10] that the straightforward use of the Tait&Martin-Lof parallel 
reduction [37] could not work for proving the Church-Rosser property for A/r 
including renaming rule, contrary to the comments on Theorem 2.5 in [29]. 
Even though one defines parallel reduction ;S> as usual, we cannot establish that 
if Mi Ni {i = 1, 2), then Mi [a <1= M2] » Ai[a <1= A2]; fact (iv) in the proof 
of Theorem 1 in [30] . 

Lemma 7 (Weak Church-Rosser Property for Ay/r). If M t>p Mi and 

M M2, then Mi >* A and M2 >* A for some A. 

From Proposition 4 and Lemma 7, we can obtain the Church-Rosser property 
using Newman’s lemma [2]. 

Proposition 5 (Church-Rosser Theorem). Ay/r has the Church-Rosser 
property for well-typed terms. 



5 Damas-Milner Style with //-Operators 

There exist implicitly typed and explicitly typed ML, and with respect to the 
implicitly typed ML, there also exist two styles; the conventional ML [6] and 
the system ML* [22] in which assumption types are universal and derived types 
are monomorphic. Those two implicitly typed ML are essentially equivalent [22], 
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and moreover, implicitly and explicitly typed ML are also equivalent [17]. First, 
we provide an explicitly typed ML with ^-operators, called XfXemi, and define 
CPS-translation into A2. Next, an implicitly typed ML* with ^-operators, called 
is provided, and CPS-translation into ML is defined. Finally, we give a 
brief comparison between those. 



5.1 Xfjiemi- Explicit let-polymorphism by value 

Following the observation in section 2, we introduce an explicitly typed ML with 
/r-operators especially for polymorphic terms, which is regarded as a short-hand 
for the completely explicitly typed ML plus ^-operators. We define the system 
Xfiemi under call-by-value in the following. The types t and the type schemes a 
are defined as usual. A type assumption F is a finite set of declarations with the 
form x:(T, and is a finite set of name-indexed types with the form r“. 

T::=t|±|T^-r cr::=T| Mt.a F ■.■.= {) \ x\a^ F Z\::=()|t“,Z\ 



F \- X F{x); A 



F h Ml : Ti ^ T2 ; Z\ F h M 2 : ti; A 



F h Ml M2 : T 2 -,A 
Fh M : Wt-a; A 



H E) 



(Inst) 



F,x:ti\~M : T2; a 
F h Xx.M : Ti T2] A 

(Ge„r 






F h Mr : (r[t := r]; A F h At.M : Vt.cr; A 

F h Ml : a] A F,x:a \- M2 : r; A 



F h let a; = Mi in M2 : t', A 



(Let) 



F h M : r;Z\ 

F h [a]M : _L; A,r" 



(El) 



F h M : ±; Z\,r“ 
F h fia.M : r; A 



{IE) 



where (Gen)* denotes the eigenvariable condition. 

Reduction rules: 

il 3 y) {Xx.M)V t> M[x ■.= ¥]■, (?7„) Xx.Vx o R if x ^ FV{V)\ 

(let) let x = V in M > M[x := V]\ (Pt) {At.M)r c> M[t := rj; 

{let-^e) let x = ^a.Mi in M2 i> fia.Mi[Xx.M2 => a]; 

{fir) {fia.Mi)M 2 o fia.Mi[a <= M2]; {fii) V{fia.M) t> fia.M[V =^>aj; 

(rn) [a]{iiP.V) > V[P := a]; {fi-rf) iia.[a]M > M if a^FN{M), 

where the notion of values is the same as that in section 3. 

We denote >emi by the above one-step reduction induced by >. We write =emi 
for the reflexive, symmetric, transitive closure of >emi ■ 

Since in the reduction {let-fig), the let-bound expression fia.M must have a 
monomorphic type, that is, let x = fia.Mi in M2 can be read as an abbreviation 
for {Xx.M2){fia.Mi) for well-typed terms, we have the subject reduction property 
for Xfiemi without any restrictions. 



Proposition 6 (Subject reduction property for A/Xemz)- If we have F \- Mi 
: a; A and Mi >emi M2 in Xfigmi, then F h M2 : a; A in Xfigmi- 
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Definition 2 (CPS-translation from Xfiemi to A2). x = Xk.kx; 

Xx.M = Xk.k{Xx.M); At.M = Xk.k{At.'M); [a]M = Xk.k{Ma); 

M1M2 = Xk.Mi^Xm.M^^Xn.mnk)); Mr = Xk.M{Xm.mT'^k); 

let x = Mi in M2 = Xk.Mi{Xx.M2k); fia.M = Xa.M{Xx.x). 

'3/{x) = x; \l'{Xx.M) = Xx.M; <I'[At.M) = At.M ; = Ma. 

= T where r is atomic; (ti ^ T 2 )^ = rf ^ “’“’Tf . 



Lemma 8. If M >emi N, then M N. 

Proof. By induction on the derivation of M t>emi N- ^ 

We have confirmed the soundness of the CPS-translation for untyped terms. 

Proposition 7 (Soundness of the CPS-translation). If we have M =emi H 
in X;iemi, then M =fjr) N in X2. 

Without any restriction, the translation logically establishes Kuroda’s transla- 
tion. We define (t“, A)'> as A'^ and {\/t.T)'> as 

Proposition 8. If Xfj,emi has P \~ M : A, then A2 has A’^ \- M : -i-icr^. 

Similarly to Proposition 4, we also have the strong normalization property for 
well-typed A^emj-terms. 

Proposition 9. X;iemi has the strong normalization property for well-typed 
terms. 



5.2 Xfjiimi: Implicit let-polymorphism hy valne 

We introduce an implicitly typed ML* (see also [22]) with /r-operators. 



P \- X : t; A if t < P{x) 



P h Ml : Ti ^ T2 ; P M 2 : Ti; A 
P h Ml M 2 : T 2 ; A 



H E) 



P,x:ti\- M :t2\A 
P h Xx.M : Ti T 2 ; A ^ 



rhMi'.Ti\A P, x:Vt.Ti I- M2 : T2;1\ , 
P h let X = Ml in M 2 : T 2 ] A 



P^ M :t; A 
P h [a]M : 



{El) 



P h M : P;Z\,r“ 
P h pLa.M : r; Z\ 



{EE) 



where (let)* denotes the eigenvariable condition, and P is a type constant. 
Reduction rules: 

iPy) {Xx.M)V > M[x:=vy, (r?„) Xx.Vx o V if x ^ FV{V); 

(let) let x = V in M c> M[x := V]] 

(let-pLi) let x = p,a.Mi in M 2 c> let x = Xx.p,a.Mi[a <^= x] in M 2 
where M\ contains a subterm in the form [a](Ay.w); 

{pLr) {fia.Mi)M2 o fia.Mi[a <= M 2 ]; {fii) V{p.a.M) t> p.a.M[V =>aj; 

(rn) [a]{iJ,p.V) > V[P := a]; (M"??) A*o.[a]M > M if a 0 FN{M), 

where the notion of values is the same as that in section 3. 
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Note the similarity of in [29] to {let-fii), but note also that in Xfiimi, 
Cfuh is applied only to the top level of the let-bound expression, whose result can 
be reduced by (let) under call-by-value. On the other hand, since a term in the 
form of fia.M is not a value, let x = ^a.Mi in M 2 cannot be reduced by (let) 
directly. In other words, the application of {let-^i) regards polymorphic ^a.M 
as a value in the form of Xx.^a.M[a x] (polymorphic ^a.M cannot cooperate 
with (fii); see below), and then let f = fxa.M in {Xx.N)f is not reduced by (^/) 
but by {(3v), and let f = ^a.M in f{fif3.N) is not by {fir) but by (^/). 

As in X^emi, we can establish the subject reduction property for X^imi- How- 
ever, in X^imi we cannot adopt (let-^e)'- let x = ^a.M in N > ^a.M[Xx.N =^> a], 
since {let-^e) cannot be well- typed in Xf^imi- One may still consider (let-fXg) in 
the /3-reduced form: 

{let-fie') let x = ^a.M in N t> fia.M[[a]{N[x := w])/[a]w], 
where the term M[[a]{N[x := w])/[a]w] is a term obtained from M, replacing 
each subterm of the form [a]w with [a](A^[a; := wj). In general, (let-^e) cannot 
represent a correct proof reduction either. To verify this, assume that we have 
the following proof figure for the left-hand side of (let-^e’), where fia.M is used 
polymorphically in N more than once: 



Hi 

P-n 



HP:±;rf 

IT 2 

M : _L; rf 

^a.M : Ti 



X 



: Vt.Ti] 



X 



: Vt.Ti] 



a::Ti[t:=T 3 ] x : Ti[t := T4] 

N : T2 



let x = fj,a.M in N : T 2 



(let)* 



Then one obtains the following type assignment for the right-hand side: 

Ui[t := T3] o S IIi[t := T4] o S 

P : Ti [t := T3] o S' P : Ti [t := T4] o S 
PsS 

N[x := P] : T2S 

[a]{N[x:=P]):±;{T2Sr 

n 2 [t := T3 ] o S 

M[[a]{N[x := w])/[a]w] : T; (t2S)“ 
jj,a.M[[a]{N[x := w])/[a]w] : T2S 

Here, T3 and T4 must be unifiable under some substitution S, since the assump- 
tion whose type contains a free variable t in Ui may be discharged by (^ I) 
in II 2 , and in this case those assumptions must be chancelled by the single 
application of (^> I) after the reduction. 

Following the above observation, we obtain that {let- fie') represents a correct 
proof reduction only if all types of a; in can be unified, where the merit of 
polymorphism is lost. It can also be observed that, in the above proof figure, if 
II2 contains no (^- I) that discharges the type containing free t, then there is 
no need to unify each type of x in N, and {let-fie') becomes correct in this case. 
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For example, in the case of let x = ^a.[a\Xy.^(3.[a\(Xv.y) in N ^ one has to unify 
each type of x in N. On the other hand, {let-y,e) is a correct reduction for the 
case of let x = fjia.[a\\v.iJiP.[a\{\y.y) in N . See also observation in section 2. 

It would not be straightforward to give a CPS-translation to Xyimi, since, 
as observed in the above, polymorphic let-expressions cannot be read as an ab- 
breviation of A-expressions, which can cooperate with (yi) under call- by- value. 
Hence, we start with separating the A-variables x into two categories; monomor- 
phic X : T and polymorphic X : Mt.r. We also consider a strict class of values, 
excluding a single occurrence X: V ::= x | Xx.M \ [a]M. To establish the CPS- 
translation, the call-by- value reduction rules are applied for the strict class. Then 
a call-by-value CPS-translation is given to monomorphic i, and a call-by-name 
CPS-translation is to polymorphic X. The translation from Xyimi (ML* plus 
^-operator) to ML {Xyemi without ^-operators) is defined as follows: 

Definition 3 (CPS-translation from Xyimi to ML), x = Xk.kx; 

X = Xk.Xk; Xx.M = Xk.k(Xx.M); [a]M = Xk.k{Ma); 

M 1 M 2 = Xk.Mi{Xm.M 2 {Xn.mnk)) ; 

let X = M\ in M 2 = Afc.(let X = M\ in (M 2 k)); ya.M = Xa.M(Xx.x). 
'3/{x) = x; ’3/{Xx.M) = Xx.M; !F([a]M) = Ma. 

The Meyer- Wand typing property (Kuroda’s double negation) can be established 
for Xyimi without any restriction. 

Proposition 10. If Xyimi has F \- M : A, then ML has F‘^, A‘^ \- M : 

Now, Xyimi without (let-yt) has the soundness of the CPS-translation. 

Lemma 9. If M \>imi N in Xytmi without (let-yi), then M N in ML. 

Proof. By induction on the derivation of M !>imi N. □ 

Following the proof of lemma 9, not only (let) itself but also {let) without re- 
stricting to values (call- by- name) can be interpreted. This point would justify the 
’by-name’ semantics for let-expressions in Harper et al. [13,16] and the implicit 
let-polymorphism by name in Leroy [23] , which is quite similar to Xyemi ■ 

The type erasure M° from Xyemi to Xyimi is defined as that in section 3. 
Then the typing relations between Xfiemi and Xyimi are equivalent as follows: 

(i) If we have F h Mi : r; Z\ in XyimU then there exists M 2 such that Mi = M^ 
and F h M 2 : t] Am. Xfiemi- 

(ii) If we have F \- M : yt.r; A in Xyemi, then F h M° : t; A in Xfiimi. 

However, computationally they are different with respect to (let) of Xyemi and 
{let-fii). We compare the two rules in the case the let-bound expression of the 
polymorphic control operators. 

On the one hand, if we did not consider a reduction strategy, then there were 
two critical cases such that (1) {ya.M){y(3.N)\ and (2) {Xx.N){fia.M). One can 
apply (yr) and (yi) in the case of (1), and (yi) and (/?) in the case of (2). 

(1) In Xyemi, let f = At.ya.M in {fT){y.(i.N) is reduced by {yr) after {let). In 
turn, let f = ya.M in f{yf3.N) can be reduced by {yi) in Xytmi. 

(2) In Xyemi, let f = At.ya.M in {Xx.N){fr) is reduced by {yi) after {let). On 
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the other hand, let f = ^a.M in (Xx.N)f can be reduced by (f3y) in Xfiimi- 
With respect to the critical cases, Xfiemi (explicit let-polymorphism by value) 
and Xfiimi (implicit let-polymorphism by value) choose different computations. 



6 Comparison with Related Work and Concluding 
Remarks 

We briefly compare X^mi with ML [25] together with callcc [13]. In ML, the 
class of type variables is partitioned into two subclasses, i.e., the applicative and 
the imperative type variables. The type of callcc is declared with imperative 
type variables to guarantee the soundness of the type inference. On the basis 
of the classification, the typing rule for let-expressions is given such that if the 
let-bound expression is not a value, then generalization is allowed only for ap- 
plicative type variables; otherwise generalization is possible with no restriction. 
There is a simple translation from the ML-programs to the A/r^z-terms, such 
that the two subclasses of type variables in ML are degenerated into a single 
class: [callcc(M)] = fj,a.[a]{\M~\{Xx.[a]x))-, 

[throw M = /r/3. [M] \N~\ where (3 is fresh. 

However, according to Harper et al. [13], the following program: 

let / = callcc(Afc. Ax. throw k (Xv.x)) in {XxiX 2 -X 2 ){f 1)(/ true) 
is not typable in ML, since callcc(Afc. Ax. throw k (Xv.x)) with imperative type 
variables is not a value, and in the case of non- value expressions, polymorphism 
is allowed only for expressions with applicative type variables. If it were typable 
with bool, then this was reduced to 1 following the operational semantics. Under 
the translation [ ] together with type annotation, in XfXemi we have 

let f = At.^a.[a]Xx.^f3.[a](Xv.x) in (AxiX 2 .X 2 )(/ int !)(/ bool true) 
with type bool, and this is now reduced to true, as in plus callcc under 
call-by- value, not under ML-like call- by- value [15]. In turn, the following term 
let f = ^a.[a]Xx.^f3.[a](Xv.x) in (AxiX 2 .X 2 )(/ !)(/ 2) 
with type int is reduced to 1 by (fJ-i). On the other hand, in XfXimi we have 
let f = ^a.[a\Xx.^f3.[a]{Xv.x) in (XxiX 2 -X 2 )(f !)(/ true) 
with type bool, and this is also reduced to true. Xfimi could overcome the coun- 
terexample of polymorphic callcc in ML, and moreover, the typing conditions 
for let-expressions could be deleted, which is observed in section 5. In particular, 
Xfiimi is another candidate for implicit polymorphism by value, compared with 
implicit polymorphism by name in Leroy [23] . 

Ong&Stewart [29] extensively studied a call-by- value programming language 
based on a call-by-value variant of finitely typed A/r-calculus. There are some 
distinctions between Ong&Stewart and our finite type fragment; their reduction 
rules have type annotations like the complete Church-style, and, using the an- 
notation, more reduction rules are defined than ours, which can give a stronger 
normal form. In addition, our notion of values is an extended one, which would 
be justified by observation based on the CPS-translation. Moreover, our renam- 
ing rule is applied for the extended values, and following the proof of lemma 
4, this distinction is essential for the CPS-translation of renaming rule. Other- 
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wise the reductions by renaming rule would not be simulated by ;0-reductions. 
On the other hand, in the equational theory Ac of Hofmann [18], one obtains 
a{C{Xf3.M)) =c M[/3 := a] without restricting to values, which would be dis- 
tinction between equational theory and rewriting theory. 

We used the CPS-translation as a useful tool to show consistency and strong 
normalization of the system. With respect to Proposition 2 (soundness of CPS- 
translation); for call-by- name Ap, on the one hand, the completeness is obtained 
in de Groote [7], i.e., the call-by-name CPS-translation is injective. For a call- 
by- value system with Felleisen’s control operators [9], on the other hand, the 
completeness is established with respect to categorical models [18], and more- 
over, this method is successfully applied to call- by- name A/r [20]. We believe 
that our CPS-translation would be natural along the line of [33] , and it is worth 
pursuing the detailed relation to such categorical models [20,36]. 
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Abstract. Typed operational semantics [4,5] is a technique for describ- 
ing the operational behavior of the terms of type theory. The combination 
of operational information and types provides a strong induction prin- 
ciple that allows an elegant and uniform treatment of the metatheory 
of type theory. In this paper, we adapt the new proof of strong normal- 
ization by Joachimski and Matthes [6] for the simply-typed A-calculus 
to prove soundness of the Logical Framework for its typed operational 
semantics. This allows an elegant treatment of strong normalization, 
Church-Rosser, and subject reduction for /Jry-reduction for the Logical 
Framework. Along the way, we also give a cleaner presentation of typed 
operational semantics than has appeared elsewhere. 



1 Introduction 

Typed operational semantics [4,5] is a techniqne for describing the operational 
behavior of the terms of type theory. Originally developed for Luo’s type the- 
ory UTT [11], a system with dependent types, type universes, inductive types, 
and impredicative propositions, it has also been applied to modal logics [8] and 
higher-order subtyping [2]. 

A presentation similar to typed operational semantics was discovered inde- 
pendently by van Raamsdonk and Sever! [18]^. Their approach is to define an 
operational definition of strong normalization, by elaborating the weak-head 
normal forms and the one-step weak-head /3-expansions with suitable premisses. 

However, their system is limited by their adherence to capturing strong nor- 
malization. If the operational system is instead equipped with types then it can 
serve as the basis for developing the full metatheory of type theory, including 
strengthening, subject reduction, Church-Rosser and strong normalization. This 
is the basis of the technique developed for UTT [4], which gave a new proof of 
subject reduction for /3ry-reduction using the strength of the induction principle 
of typed operational semantics. 

Now at AT&T Labs, 180 Park Ave., Florham Park NJ 07932 USA. 

^ Loader [9] also developed his work using the same system, after reading [4]. 
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It seems that these benefits of including types in the operational presentation 
have been ignored elsewhere because others have worked in the framework of 
simple types. Among the properties that are easy for simple types and more 
difficult for dependent types are: 

— The well-formedness of types. In the simply-typed A-calculus types are al- 
ways well-formed. In systems with dependent types, there is an interdepen- 
dency between the well-formed terms and the well-formed types. 

— The inversion of typing judgements. The simply-typed A-calculus can be 
formulated as a syntax-directed system, meaning that each term constructor 
has exactly one corresponding rule of inference. This cannot be done with 
dependent types because of judgemental equality, which can interfere at any 
point in the derivation of a judgement. 

— The enumeration of variables. In the simply-typed A-calculus, it can be as- 
sumed that there are an infinite number of variables at each type. In systems 
with dependent types, this cannot be achieved so easily^, and so we need to 
formulate lemmas about the manipulation of the hypotheses in the context, 
such as Thinning and Strengthening. 

For these reasons, the metatheory of dependent types is much more complex than 
that of simple types, and results such as subject reduction require an extensive 
background development. 

Recently, Joachimski and Matthes [6] developed a simple and elegant proof 
of strong normalization for the simply-typed A-calculus using the operational 
definition of strong normalization, replacing the Tait-Girard style proof using 
saturated sets or candidates of reducibility. The proof using the operational 
system follows by simultaneously showing the admissibility of substitution and 
application in the operational system, by complete induction on the type of the 
substituted variable or the domain of the application. 

Our goal in the present paper is to show that this proof can be adapted to 
the typed operational semantics for the Logical Framework. This shows that 
the technique lifts successfully to dependent types, and serves to make explicit 
the information about types necessary in the proof that can be left implicit and 
informal for the simply-typed A-calculus. Along the way, we also give a cleaner 
presentation of typed operational semantics than has appeared elsewhere for the 
Logical Framework, using ideas incorporated from recent work with Compagnoni 
on typed operational semantics for subtyping [2] . 

The final result of the paper. Corollary 2, is the equivalence of the usual 
typing rules of the Logical Framework and the typed operational semantics. This 
equivalence allows us to use an approach quite different to the traditional one for 
Pure Type Systems [1,10,17]. We develop all of the properties of the type theory 
in the typed operational semantics — the only induction on derivations of the 

^ Adding a new variable to the context extends the possible types, because types can 
depend on that variable, and so infinite contexts require some kind of diagonaliza- 
tion. Pottinger’s infinite contexts [10,14] are one solution, but they are quite heavy 
technical machinery. 
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Logical Framework is in the proof of soundness — and then use the equivalence 
to transfer these properties to the usual presentation. 

We believe that the elegance of the development outlined in this paper jus- 
tifies our approach. Furthermore, although the traditional development of the 
metatheory of type theory works well with non-normalizing type theories, our 
approach is more robust for strongly normalizing type theories. For example, as 
the current paper shows, the difference between the approach for systems with 
or without ry-reduction is very small when using typed operational semantics, as 
opposed to other developments [3,15,19]. 

The operational understanding of type theory, through the operational de- 
finition of strong normalization or through typed operational semantics, seems 
to have been crucial to the discovery of the new proof technique. The same 
technique almost certainly works directly for strong normalization, without the 
intermediary operational definition, but verifying the details using traditional 
tools of A-calculus such as residuals is likely to be difficult and tedious. 

Our terminology for soundness and completeness of the typed operational 
semantics has been controversial. Our view is that the operational semantics 
defines a term model for the standard typing rules. This was motivated by our 
earlier proof of soundness, which relied on a saturated-set style term model, but 
we believe that this view is still valid with the new proof. 

In this paper we study Martin-Lof’s Logical Framework. Although there are 
important differences in philosophy between this system and the Edinburgh Log- 
ical Framework, technically the work needed to establish results about the two 
systems in their pure form is very similar. 

We see this paper as part of a larger program to redevelop the computa- 
tional foundations of type theory, replacing the Tait-Girard saturated sets or 
candidates of reducibility proof by the simpler proof using typed operational 
semantics. 

The structure of the rest of the paper is as follows. In Section 2 we give a 
short presentation of the Logical Framework. In Section 3 we present the typed 
operational semantics for the Logical Framework and briefly discuss the motiva- 
tions for the system. In Section 4 we develop the basic metatheory of the typed 
operational semantics. In Section 5 we prove the main lemma for the admissibil- 
ity of substitution and application, and use this to show soundness of the Logical 
Framework for its typed operational semantics. Because the admissibility lemma 
is the most important technical contribution of this paper, we give the proof of 
the result in full detail. Finally, in Section 6 we summarize the contributions of 
the paper and mention possible further work. 



2 The Logical Framework 

In this section we give a brief introduction to Martin-Lof’s Logical Framework. 
Our intention is only to give the basic definitions necessary for the technical de- 
velopment of this paper. For an introduction to the philosophy and intended use 
of the type theory, the interested reader should consult one of the more extensive 
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references [11,13]. To help the reader, we use standard A-calculus notation rather 
than the usual notation for the Logical Framework. 

The terms of the Logical Framework are defined by the following grammar: 



The elements A, B,C € K are called kinds. The kind Type represents the pos- 
sible types of the type theory, and the operator E1(M) represents the kind of 
elements of type M, if M is a type. This introduces an interdependency between 
terms and kinds. 

We identify terms that are equivalent up to the renaming of bound variables 
and write M = N \i M and N are equal in this way. We write FV(M) for 
the free variables in a term M, those variables not bound by abstractions. We 
write [N/x]M for the usual capture- free substitution of N for the free variable x 
in M . Each of these operations is lifted to kinds and contexts in the natural way. 

We say that a context F = xi'.Ai,... ,Xn'-An such that the Xi are dis- 
tinct and FV(^i) C {xi, . . . ,Xi_i} is consistent. We write dom{r) for the set 

{xi, . . . ,Xn}. 

2.1 Basic Rules of Inference 

The Logical Framework has five judgement forms: 

— r \- ok, meaning that F is a well-formed context of assumptions, 

— r h A kind, meaning that ^4 is a kind under assumptions F, 

— F \- A = B, meaning that A and B are kinds and are equal under the 
assumptions F, 

— F \- M : A, meaning that A is a kind and that M is in A, under assumptions 
F, and 

— F \- M = N : A, meaning that A is a kind, that M and N are in A, and 
that they are equal in A, under assumptions F. 

These judgements are defined inductively by the following rules of inference. 

Valid Contexts 



A,B,C e K ::= Type | E1(M) | Bx:A.B 
M,N,P € T ::=x \ Xx:A.M \ M{N) 
F,A,$€C ::= 0 I r, x:A 



Emp 



0 ^ ok 



Weak 



F h A kind x ^ dom{F) 
F, x:A h ok 



Types 



F h ok 



r \- M : Type ^ F, x:Ai h A 2 kind 
F h E1(M) kind ^ F h nx-.A 1 .A 2 kind 



Type 



F h Type kind 



El 
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Type Equality 



KRefl 



rh A kind 
rh A = A 



KSym 



r\- A = B 



KTrans 



A = B 



B = A 

Bh B = C 



E1-Eq 



r\- M = N : Type 
r h El(M) = El(iV) 



U-Eq 



r\- A = c 

Bh Ai=Bi 



B, x:Ai \- A2 = B2 



B h Blx:Ai.A 2 = Blx:Bi.B 2 



Terms 



A h ok 

Bo, x:A, BiEx : A 

B, x:Ai h Mq : A 2 
B h Xx'.Ai.Mq : IIx:Ai.A2 



App 



Eq 



BEM : A BEA=B 



BE M : B 
BE Ml : nx-.A1.A2 BE M2 
BE Mi[M 2) : [M2lx]A2 






Term Equality 



Refl 



r h M : A 



Trans 



=R 



A-Eq 



App-Eq 



BE M = M -. A 

BE M = N : A 



Sym 



BEM = N : A 
BEN = M : A 

BE N = P -. A 



BE M = P : A 

BE M = N : A BE A = B 
BEM = N : B 

BEAi=Bi B, x:Ai E Mq = Nq : A2 
B h Xx'.Ai.Mq = Xx'.Bi.Nq : nx-.A1.A2 

BE Mi = Ni -. nx-.A1.A2 PE M 2 =N 2 -. Ai 
B E Ml (M2) = Ni{N 2 ) : [M 2 /x]A 2 
B, x:Ai E Mo -. A2 P E M2 : Ai 
B E {Xx-.Ai.Mo){M 2 ) = [M 2 /x]Mo : [Ms/xJAs 



2.2 Structural Rules of Inference 

The rules in this section are separated out because they are admissible. We 
write B E J for judgements derived in the full system including these rules, and 
B E~ J for judgements derived in the system without these rules. We shall prove 
the admissibility of the rules through the equivalence with the typed operational 
semantics. 
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Substitution Rules 



r, x:A, r' ok Fh F :A 
r, [Plx\r’ ok 

r, x:A, r'h B kind Fk P: A F, x:A, F' h B kind FkN = P: A 
F, [P/x]F' h [P/x]B kind 
F, x:A, F'h M : B F h F : A 
F, [P/x]F' h [P/x]M: [P/x]B 

F, x:A, F'h B = C F h P : A 



F, [M/x]r' h [N/x]B = [P/x]B 
F, x:A, F'hM : B F h N = P : A 
F, [N/x]r' h [N/x]M = [P/x]M: [N/x]B 

F,x:A,F' h M = N: B FhP-.A 
F, [P/x]r' h [P/x]B = [P/x]C r, [P/x]F' h [P/x]M = [P/x]N : [P/x]B 



Thinning 

F,F' ok rh A kind x ^ FV{F, F') 
r, x:A, F' ok 

F,r'h B kind Fh A kind x ^ FV[F, F') 

F, x:A, F' h B kind 

F,F'hM :B Fh A kind x ^ FV(F, F') 

F, x:A, F'h M -.B 

r,F'h B = C Fh A kind x ^ FV{F, F') 

F, x:A, F' h B = C 

F,F'h M = N: B Fh A kind x ^ FV{F, F') 
F, x:A, F'h M = N :B 



Context Replacement 



r, x:A, r' ok Fh A = B 
r, x:B, F' ok 

F, x:A, F' hC kind Fh A = B F, x:A, F' h M : C Fh A = B 
r, x:B, r'hC kind F, x:B, F' h M ■. C 



r, x:A, F'hC = DrhA = B F, x:A, P' h M = N : C Fh A = B 
r, x:B, F' hC = D F, x:B, F' h M = N : C 



Presuppositions 

FhJ FhA = B FhM = N:A P h M : A 
T h ok r h A kind F h M: A P h A kind 
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3 A Typed Operational Semantics for the Logical 
Framework 



The typed operational semantics for the Logical Framework has the following 
judgement forms with associated informal meaning: 



— \= r ^ A, meaning that F has normal form A. 

— r \= A ^ B, meaning that A is well-formed under assumptions F and has 
normal form B. 

— F \= M ^ N ^ P: A, meaning that M, N and P are well-formed of kind 
A under assumptions F, and M has weak-head normal form N and normal 
form P. 

We also use the following abbreviations: 

— F 1= ok for \= F ^ A when A is not relevant. 

— F \= M — FI : A for F \= M ^ N ^ P: A when P is not relevant. 

— F \= M P : A for F\=M^N^P: A when N is not relevant. 

— F \= M : A for F \= M ^ N ^ P: A when N and P are not relevant. 

We say that the meanings of the judgements are informal because the rules do 
not depend on weak-head or normal forms: the demonstration that A is the 
normal form of F in |= F A, for example, is left to Lemma 11. 

The typed operational semantics is defined inductively by the following rules 
of inference. 

Contexts 



Emp 



1 = 0 ^ 0 



Weak 



\= F ^ A F \= A B X ^ dom{F) 
1= F, x:A A, x:B 



Kinds 



Type 



n 



F |=ok 



F 1= Type ^ Type 
F 1= ^ Fi 



El 



F \= M ^ N ^ P: Type 
F 1= E1(M) ^ E1(F) 

F, x:Ai 1= A 2 — y B 2 



F 1= Flx:A] .A 2 



IIx'.Bi .B 2 
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Terms 

To, x'.A^ Ti 1= — >■ T 

VAR -p, ■ „ I 

To, x:A, ri\= X ^ X ^ x \ B 

T, x:Ai 1= Mo P{x ) : B 2 
T|=yli^Ti T 1= T ^ T ^ T: 7Ja;:Ti.T2 
^ T 1= Ai:^i.Mo Xx:Ai.Mq P: L[x:Bi.B2 

r \= Ai ^ Bi 

T, *:Ai 1= Mo To : B 2 Xx:Bi.Pq not an ry-redex 
T 1= Xx'.Ai.Mq Xx:Ai.Mq Xx:Bi.Pq: IIx:Bi.B2 

P 1= Ml Ni ^ Pi: IIx:Bi.B2 

P \= M2 ^ N2 ^ P2: Bi T 1 = [Ms/ilTs ^ TA^i not an abstraction 
R A SF ' *- ' •* 

T 1= Ml (M 2 ) ^ Ni{M2) ^ Ti(T2) : C 

T 1= Ml — AnAi.A^O' IIx:Bi.B2 T |= M 2 : Bi 

P 1= [M2/a:]Afo ^P^Q:C T |= [M2/i]T2 ^ C 

^ T 1= Mi(M 2) ^ T ^ g: T 



The typed operational semantics can be viewed as an alternative induction 
principle for the well-typed terms of the Logical Framework. We have chosen 
the rules of inference so that the induction principle be as powerful as possible, 
with the particular criterion that the completeness theorem. Theorem 1, follow 
as simply as possible. 

The system is not simply a reduction relation with added type information. 
Each of the rules involving application requires the normal forms of the domain 
kind in the function to be identical to the kind of the argument, replacing the 
rules for kind equality. The relationship between judgements and derivations is 
therefore much closer than in the declarative presentation of the Logical Frame- 
work of Section 2, and we always know what the last rule of inference must be 
based on the structure of the judgement. 

4 Metatheoretic Properties 

In this section, we give an outline of the proofs of the metatheoretic properties 
of the typed operational semantics. We divide this into two subsections, one for 
results about typing and the other for results about reduction. As most of the 
results and proofs in this section have been published elsewhere [2,4] for similar 
systems, we avoid giving many details. 

We shall use “inversion” on a derivation of a judgement to mean a case analy- 
sis on the possible last rules of inference for that judgement. Hence, inversion 
of a derivation ofT|=a;^-A^^T:T gives us that N = x, P = x, x:A € P 
and T 1= A — > T (we also know that the derivation used Var as the last rule 
of inference, but this is usually not important). This is similar to Generation as 
used for PTS [1], and can be automatized as done in the proof assistants Lego 
and Coq. 
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4.1 Typing 

Lemma 1 (Subcontext). If Fq^Fi |= J then there is a not necessarily strict 
subderivation of Fq |= ok. 

Lemma 2 (Contexts). If F \= J then F is consistent. Furthermore: 

- If F\=A^ B then FV(yl) U FY{B) C dom{F). 

- If F'^M^N^P: A t/ienFV(M)UFV(iV)UFV(P)UFV(yl) C dom{F). 

Definition 1 (Renaming). A map j is a substitution from A to P if A \= ok, 
dom{'y) = dom(F) and x:A £ F implies A |= A['f\ B and A |= 7(0;) : B. 

A renaming is a parallel substitution 7 from A to F such that for each x:A £ 
F we have j(x) = y and y: ^[7] £ A. We write weak^ for the identity map over 
dom{F ) if A has all components of F . 

Lemma 3 (Renaming). If ^ is a renaming from A to F then: 

- If F \= A ^ B then A |= ^[7] B[y] . 

- If F ^ M ^ N ^ P: A then A |= M[j] Al[7] ^ ^[7]: ^[7], 

Proof. By induction on derivations, using Contexts (Lemma 2 ) for FI , A and 7. 

Lemma 4. If F \= ok, A |= ok and A has all components of F then weak^ is 
a substitution from A to F . 

Corollary 1 (Thinning). If P \= J and A is a valid context with all compo- 
nents of F then Z\ |= J. 

The above proof of Thinning was inspired by McKinna and Pollack’s [ 12 ] 
treatment of a-equivalence. The more complex treatment of Thinning is neces- 
sary because the new variables occurring in A may have been used for the bound 
variables of the subject in F |= J . This is also a problem for the traditional proof 
of Thinning for PTS [ 1 ]. See [ 12 , 4 ] for more details. 

In practice, we use the simpler result of Weakening, which simply says that 
ii F \= J and F, A \= ok then F, A j= J; this follows as a corollary to Thinning. 

Lemma 5 (Determinacy). 

- If \= F — > Z\ and \= F then A = d>. 

- If F \= A ^ B and F \= A ^ C then B = C . 

- If F \= M -)■ N -)■ P: B and F \= M -)■ Q -)■ R: C then N = Q, P = R, 
and B = C . 



Proof. By simultaneous induction on derivations. 

We consider case FI. By inversion of F ^ IIx:Ai.A2 ny.C1.C2 we know 
that F \= Ai ^ Cl and F,y:Ai j= [y/x]A2 C2. By the induction hypothe- 

sis Bi = C\. Furthermore, by Renaming F,x:Ai j= A2 [x/y]C2, so by the 
induction hypothesis again B2 = [x/y]C2, and so nx-.B1.B2 = ny.C1.C2- 
Cases A and y use Renaming similarly. 
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Strengthening is often the most difficult of the metatheoretic results for a 
type theory with an equality rule for types. For the typed operational semantics 
this result is straightforward, because kind equality is taken care of in the indi- 
vidual rules. The kind in each judgement about terms must always be normal, 
and although we do not explicitly use this fact it ensures that the strengthened 
variable never occurs in the kind. This is different from the situation in the Logi- 
cal Framework, where variables that do not occur in the term can be introduced 
into the kind by kind equality. 

Lemma 6 (Strengthening). Suppose z is a variable sueh that z ^ FV(Ti). 
Then: 

— If Tq, z:C, Fi 1= ok then Fq, Fi |= ok. 

- If Fq, z:C, Fi \= a ^ B and z ^ FV(A) then Fq, A |= A ^ B. 

- IfFo, z:C, Fi \= M ^ N ^ P: A and z ^ FV(M) then Fq, Fi ^ M ^ N ^ 

P: A. 

Proof. By simultaneous induction on derivations, using Contexts for rule rj. 

We now show that the typed operational semantics is complete for the Logical 
Framework. We remind the reader that F \-~ J represents judgements derived 
in the system without the structural rules in Section 2.2. 

Theorem 1 (Completeness for LF~). 

— If F \= ok then \-~ F. 

— If F \= A ^ B then F \-~ A kind and F \-~ A = B. 

- IfF^M^N^P-.A then F \-~ M : A, F M = N : A, F M = 
P : A and F \-~ A = A. 

Proof. By simultaneous induction on derivations. 

We consider Var. By the induction hypothesis, Fo,x:A,Fi h“ A kind and 
Fq, x:A, Fi\-~ a = B. By Subcontext Fq, x:A, Fi |= ok, so by the induction hy- 
pothesis \-~Fq, x'.A, Fi. By Var Fq, x:A, Fi\-~ x : A, and by Eg Fq, x:A, A h“ 
X : B. Furthermore, by Refl Fo,x:A,Fi \-~ x = x : B. Finally, by KSym and 
KTrans Fq, x:A, Fi\-~ B = B. 



4.2 Untyped Reduction 

Untyped reduction is an essential component of the presentation of some type 
theories, for example Pure Type Systems, where the equality relation is defined 
as the least equivalence relation containing untyped reduction. We have instead 
followed the Martin-L6f style presentation using judgemental equality, which 
ensures that all intermediate terms in a proof of equality are well-formed. Our 
formal presentation of the Logical Framework does not rely on untyped reduction 
in any way. 

However, untyped reduction is still an essential component of our develop- 
ment of the metatheory of the Logical Framework, because the proof of sound- 
ness of the usual typing rules for the typed operational semantics relies on the 
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result of subject reduction. In particular, we establish properties such as that if 
r \= M P- A then r \= P ^ P ^ P: A, and if P \= [N/x]A C and 
P \= A ^ B then P |= [N/x]B — > C, using Adequacy, properties of untyped 
reduction such as substitution, and subject reduction. 

We introduce the following one-step reduction relations: 

(Ax:Ai.Mo)(M2) f3 [Ma/xjMo 

Xx:Ai.M{x) r] M x^ FV(M) 

A term M is a redex if there is an N such that Mj3N or MrjN. Let untyped 
reduction^ or just reduction^ written M N, be the compatible closure of all of 
the above rules. We write M + A1 for the transitive closure of reduction and 
M * N for the reflexive, transitive closure of reduction. 

Lemma 7 (Adequacy for Untyped Reduction). 

— IfP\=M^N^P: A then there is an N' such that M ^ N N' P ■ 

— If P \= A ^ C then there is a B such that A ^ B ^ C . 

Proof. By simultaneous induction on derivations, using Contexts for rule rj. 

Lemma 8. If P \= M Q: PIx'.A.B, P \= N Q: PIx'.A.B and P \= 
M{P) ~^R^S: C then P |= N{P) ^R^S:C. 

Proof. By inversion of the derivation of P \= M{P) R ^ S: C, using Deter- 
minacy. 

We now give some basic dehnitions and lemmas about weak-head normal and 
normal forms. 

Definition 2 (Head Variable). We say that x has head variable x, and that 
M{N) has head variable x if M has head variable x. 

Definition 3 (Weak-Head Normal and Normal). We say that x is weak- 
head normal, that Xx'.A.M is weak-head normal and that M{N) is weak-head 
normal if M is weak-head normal and not an abstraction. 

We say that x is normal, that Xx:A.M is normal if it is not an rj-redex and 
A and M are normal, and that M{N) is normal if M and N are normal and 
M is not an abstraction. 

Normal forms lift to kinds in the natural way. 



Lemma 9. M is normal if and only if M has no reductions. 

Lemma 10. There is an x such that M has head variable x if and only if M is 
weak-head normal and not an abstraction. 
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Lemma 11 (Weak-head and Normal Forms). 

— If \= r —)■ A then A is normal. 

— If r \= A ^ B then B is normal. 

— If r \= M N ^ P: A then N is weak-head normal and P and A are 
normal. 

We define a simple ordering on kinds by the natural length function. 

Definition 4. We define the length of a kind A, written \A\, by structural re- 
cursion on A: 

|Type| =df 0 |E1(M)| =df 0 |7Ji:Ai.A2| =df |^i| + |^ 2 | + 1 

Lemma 12. If P \= M — N : A, N not an abstraction, x:B € P and the head 
variable of N is x then |j4| < \B\. 

Proof. By induction on derivations of F |= M N : A. 

Lemma 13. If P \= A ^ B then |^| = \B\. 

Lemma 14. If P \= M N- A and M is weak-head normal then M = N. 

Proof. By induction on derivations that P \= M N : A. 

For the /3 case, if Mi (M 2 ) is weak-head normal then Mi is weak- head normal, 
so by the induction hypothesis Mi = Xx:Ai.Mq, which is impossible by the 
definition of Mi (M 2 ) being weak- head normal. 

Lemma 15. If M has head variable x and x ^ y then [N/y]M has head variable 

X. 



Lemma 16. If M is weak-head normal and not an abstraction and M pri ^ 
then N is weak-head normal and not an abstraction. 

We write |= F if there is a ^ such that \= P ^ and \= A ^ <1. 

Lemma 17 (Context Conversion). If P \= J and |= F Z\ then A |= J. 

Proof. By simultaneous induction on derivations. 

We consider Var. If Fq, x:A,Pi = A then A = Aq, x:C, Ai, with Pq \= A ^ B 
and Aq\= C ^ B. By Weakening Aq, x:C, Z\i |= C B, so Aq, x:C, Z\i|=a:^- 
X ^ x: B hy Var. 

We can now show Subject Reduction for ry-reduction. 

Lemma 18 (Subject Reduction for rj). 

If P 1= Xx:Ai.M{x) N ^ P: IIx:Bi.B 2 and x ^ FV(M) then there is a N' 
such that P \= M ^ N' ^ P \ IIx:Bi.B 2 . 
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Proof. We first prove that if L' \= M N ^ P: IIx:Bi.C, P \= Ai ^ Bi 
and P,x\Ai \= C ^ B2 then P |= \x:Ai.M{x) Q ^ P: IIx'.Bi.B^ for some 
Q. This follows by case analysis of N ^ using inversion, Context Conversion and 
Weakening if N is an abstraction and Weakening if it is not. 

Then, using inversion twice with Determinacy, we know T, x\Ai \= M ^ Q ^ 
R: Bx'.Bi.C and P, x:Ai \= C ^ B2 for some Q, R and C, so by Strengthening 
P ^ M ^ Q ^ R: nx:Bi.C, so P |= \x:Ai.M{x) ^ S ^ R: Bx-.Bi.C for 
some S by the above. By Determinacy R = P and C = B2- 



The idea underlying the proof of strong normalization for typed operational 
semantics is the same as that for all other such proofs for A-calculus, which 
depends on bounding the length of weak-head reduction sequences. Then, be- 
cause internal reduction is bounded by the induction hypothesis, and because 
internal reduction does not generate new weak-head reductions (the property 
of quasi-commuting from term rewriting), we know that strong normalization 
holds. 

However, for technical reasons we use a slightly different presentation. In- 
stead of defining internal reduction and showing that weak-head and internal 
reduction quasi-commute, we use the reflexive, transitive closure of weak-head 
reduction (as defined by the typed operational semantics) and parallel reduc- 
tion. This allows us to prove subject reduction and Church-Rosser at the same 
time as establishing the necessary relationship between ordinary and weak-head 
reduction. 

We now give a brief development of parallel reduction, necessary for the proof 
of subject reduction and strong normalization. Tait and Martin-Lof’s proof of 
Church-Rosser using it highlighted the notion; an elegant presentation is given 
by Takahashi [16]. 



Definition 5 (Parallel Rednction). We define parallel reduction as the least 
relation closed under the following rules of inference: 

A^A' M^M' M^M' N^N' 

~x^x ^ Xx:A.M Xx:A!.M’ M{N) ^ M'{N') 

M ^ M' N ^ N' ^ Mo ^ M'{x) x ^ FV(M') 

^ {Xx:A.M){N) [N'/x]M' Xx'.Ai.Mq ^ M' 



We extend the reduction in the obvious way to kinds and contexts. 



Parallel reduction has some simple properties. First, we know M M for 
all M. Furthermore, if M N then M ^ N, and \i M ^ N then M * N. 
Finally, if M => M' and N ^ N' then [N/x\M => [N' /x\M' . 
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Lemma 19 (Parallel Subject Reduction). 

— If \= r —>■ A and F F' then \= F' ^ A. 

— If F \= B, F ^ F' and A' then F' |= A' B. 

— If F \= M ^ N ^ P : A, F F' and M => M' then there are N' and N" 
such that F' M' ^ N" ^ P-. A, N ^ N' and F' |= N' ^ N" ^ P: A. 

Proof. By simultaneous induction on derivations. 



Lemma 20 (Subject Reduction). If F \= M N ^ P: A, F ^ F' and 

M M' then there is an N' such that F |= M' N' ^ P : A and N * N' . 

Notice that this lemma captures both subject reduction and Church-Rosser, 
because the full judgement and in particular the normal form is stable under 
one-step reduction. 

Definitions (Strong Normalization). Strong normalization for kinds, writ- 
ten SN(A), is the least predicate closed under the following rule of inference: 

^^^JorallB.{A B)^SN(R) 

MiA) 



and similarly for kinds. 



Lemma 21. If Xx'.Ai.Mq => N and F \= N Xx:B.Nq : C then Mq * Nq. 

Lemma 22 (Strong Normalization). If F \= M N ^ P: A then M is 
strongly normalizing. Similarly, if F \= A ^ B then A is strongly normalizing. 

Proof. By simultaneous induction on derivations. 

We consider the case Base. By the induction hypothesis we know that Mi and 
M2 are strongly normalizing, and by assumption F |= Mi Ni'. FIx:Bi.B2 
where A^i is not an abstraction. By induction on the maximal length of reductions 
for Ml and M2, we show that if F |= Mi .^1 : FIx:Bi.B2 where Ni is not an 
abstraction then Mi (M2) is strongly normalizing. 

Then, by SN-i, we need that if Mi (M2) P then P is strongly normalizing. 
We consider the possible reductions: 

— Ml M(. Then by Parallel Subject Reduction there are and N" such that 

Ni ^ N{, F \= N{ N{'-. Bx-.B1.B2, and F |= M( N'f -. Bx-.B1.B2. 
Hence by Lemma 16 is not an abstraction, so by the induction hypothesis 
M[{M2) is strongly normalizing. 

— M2 M^. By the induction hypothesis. 

Case P uses Lemma 21 , Parallel Subject Reduction, the closure of Strong 
Normalization under reduction and the closure of reduction under substitution. 

Finally, the following admissible rule is useful in the proof of Soundness, 
Theorem 2 . It differs from the rule rj by replacing the premise F \= P: Bx:Bi .B2 
by the requirement that x ^ FV(P). 

Proposition 1 (Admissibility of 77’). IfF |= Ai ^ Ri and F, x:Ai |= Mo 
P{x)-. B2, with X 0 FV(P), then there is an N' such that F \= Xx-.A\.Mq 
N' ^ P-. Bx-.B1.B2. 
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4.3 Comparison with Other Work 

We have introduced a new class of formal systems, typed operational seman- 
tics, which present type theory from a computational perspective. In doing so, 
we have arrived at a strategy for studying reduction in type theory opposite to 
the frequently adopted approach of removing type information from the proof 
of normalization. The specific typed operational semantics that we study, based 
on standard reduction, itself gives a precise, coherent description of the rela- 
tionship between typing and reduction. We have demonstrated that this system 
gives a new treatment of fundamental results, including Church-Rosser, subject 
reduction and strong normalization. 

The alternative presentation introduced by van Raamsdonk and Severi [18] 
uses sequences of applications to isolate the one-step weak-head reductions. This 
formulation hides the use of the diagram stating that weak-head and internal 
reduction commute in the proof of strong normalization, by giving an explicit 
description of each of the weak-head reduction steps. However, the basic argu- 
ment for strong normalization is exactly the same: the number of weak-head 
reductions of a term is bounded by the derivation, and the internal reductions 
are bounded by the induction hypothesis, so the term is strongly normalizing. 

In our approach, we incorporate the commuting diagram into the proof of 
Subject Reduction, and we prove Church-Rosser at the same time. Moreover, 
our use of a more abstract approach based on weak-head and parallel reduction 
means that it is more generally applicable. For example, when Joachimski and 
Matthes show strong normalization for Godel’s System T, they need to overload 
the syntax of application in order to maintain the validity of their rules of in- 
ference, instead of extending the reduction relations in the natural way as we 
would be able to do. 

Parallel reduction is a tool we use in the proof of Subject Reduction, which 
would lead to a clear proof of Subject Reduction for the presentation with se- 
quences of applications as well. The problem in both approaches is the same: the 
induction hypothesis needs to be strong enough to accommodate the closure of 
reduction under substitution. One-step reduction does not satisfy this property, 
and parallel reduction is the simplest reduction relation that does. This problem 
has not been faced in the alternative approach because that approach has not 
been used to study typing. 

Finally, we have chosen a judgement form, F \= M N P: A, that 
includes weak-head normal forms. An alternative presentation used elsewhere 
[4,5] uses two judgement forms F \= M P : A and F \= M N: A, where 
the first indicates that M has normal form P and the second indicates that N is 
a one-step weak-head reduct of M . We prefer the former presentation because it 
involves fewer judgements and rules of inference, and because it extends naturally 
to systems of subtyping where the weak-head normal form is important [2] , but 
the development discussed here can be adapted to the latter presentation without 
difficulty. 
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5 Soundness 

We now show the admissibility of substitution and application in the typed 
operational semantics. 

Intuitively, application and substitution are closely related. If we can substi- 
tute at a kind, then we can also apply at that kind, by analysis of the weak-head 
normal form of the applicator: if it is an abstraction then we substitute, and oth- 
erwise we use the rule Base. Hence, we prove the admissibility of substitution 
and application simultaneously. Furthermore, values at the base kind can safely 
be substituted, because they have no applicative behavior. The admissibility of 
substitution and application can be lifted to higher kinds by induction, using 
the admissibility of application at smaller kinds. 

By complete induction we mean the principle that: 

Vm.fVn.n < m => <i(n)) => cb(m) 

^ \ ^ 

Lemma 23. Suppose F \= N ^ Q ^ S: A' and F \= A ^ A' . Then: 

1. Substitution is admissible: 

(a) If 1= F, x:A, A ^ then there is a F such that |= F, [N/x]A F. 

(b) If F,x:A, A |= H — >■ C then there is a D such that F,[N/x]A |= 
[N/x]B ^ D. 

(c) If F,x:A, A \= M P ^ R: B then there are T, U and C such that 
F, [N/x]A 1= [N/x]M ^U: C, F, [N/x\A |= [N/x]P ^ T ^ U : C 
and F, [N/x]A |= [N/x]B C. 

2. Application is admissible: if F \= M P ^ R: FIx:A'.B then there are T, 

U and C such that F |= M{N) T ^ U : C and F \= [N/x]B C. 

Proof. We prove the two cases simultaneously by complete induction on \A'\. 

I. This follows by simultaneous induction on derivations that T, x:A, A |= J . 

— Emp. Immediate. 

— Wk. If Z\ = 0 then |= T F hj Subcontext. If Z\ = Aq, z:B then 
F, [N/x]Aq 1= [N/x]B C hy the induction hypothesis, and 
1= r, [N/x]Aq by Subcontext, so |= F, [N/x]Aq, z:[N/x]B F, z:C. 

— Type. By the induction hypothesis F, [N/x]A |= ok, so F, [N/x]A |= 
Type ^ Type. 

— El. By the induction hypothesis F, [N/x]A |= [N/x]M T U : C, 
where P, [N/x]A |= Type ^ C implies C = Type by inversion. Hence 
F, [N/x]A 1= [A^/x]El(M) ^ E1(C/). 

— n . By the induction hypothesis F, [N/x]A |= [N/x]Ai C\ 

and F^[N / x\A^ z\[N / x\Ai |= [N/x\A 2 C 2 , so F,[N/x]A \= 

[N/x]{nz:Ai.A 2 ) nz:Ci.C 2 by B. 

— Var. Then M = y, P = y and R = y. There are two cases: 

• X = y. We have the premise that P, x:A, A \= A ^ B, and F \= N ^ 
Q ^ S: A' and F \= A ^ A' hy assumption. By Subcontext we have 
a subderivation of F, x:A, A \= ok, by Weakening F, x:A, A \= A ^ 
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A', and so by Determinacy A! = B. By the induction hypothesis 
r, [N/x\A 1 = ok, and so by Weakening again P, [N/x\A \= N ^ 
Q ^ S: A'. Furthermore, by Free Variables x 0 FV (A) U FV (A'), so 
A' = [N/x]A', and F, [N/x]A |= [N/x]A' = A' ^ A' by Adequacy, 
Subject Reduction and Weakening. 

• X ^ y. We have the premise that F, x:A, A \= C ^ B, with y:C £ 
F,x:A,A. By the induction hypothesis F, [N/x]A |= [N/x]C D, 
so F, \N/x\A \= y ^ y ^ y. D. Finally, by Adequacy and Subject 
Reduction F, [N/x\A |= [N/x\B D. 

— Base. We have premisses F,x:A,A \= Mi Pi Ri: FIz:Bi.B2 
with Pi not an abstraction, P,x:A,A \= M2: Bi, and P,x:A,A \= 
[M2 /x]B2 B. By Lemma 11 Pi is weak-head normal, so by Lemma 10 
there is a y that is the head variable of Pi. 

Also, by the induction hypothesis there are Ti, Ui and C such that 
F, [N/x]A 1 = [N/x]Mi ^ Ti ^ Ui: C, F, [N/x]A |= [N/x]Pi ^ Ti ^ 
Ui: C and F, [N/x]A |= [N/x]{F[z:Bi.B2) C, and also there are U2 
and Cl such that F, [N/x]A |= [N/x]M2 ~^n U2: Ci and F, [N/x]A |= 
[N/x]Bi Cl- Furthermore, F, [N/x]A |= [N / x][M2 / z]B2 D, again 

by the induction hypothesis. 

We know C = Flz:C'i.C2, F, [N/x]A |= [N/x]Bi C[ and 
F,[N / x]A, z\[N / x]Bi 1 = [N/x\B2 C2 by inversion. Hence by De- 
terminacy Cl = C'l- Furthermore, by Adequacy [N/x]B2 * C2, and 

[N / x][M2 / z]B2 = [[N/x]M2/z][N/x]B2, so by Subject Reduction 

F,[N/x]A 1 = [[N/x]M2/z]C2 D. Also, F,x:A,A |= [M2/z]B2 B 

implies [M2I z]B2 * R by Adequacy, and so F, [V/x]Z\ |= [N/x\B D 

by Subject Reduction. 

We have two cases: 

• X = y. Then \F[z:Bi.B2\ < \A'\ by Lemma 12 , so |Ri| < |A'| and 
I C'l I < I A' I by Lemma 13 . Hence by the induction hypothesis there 
are F, U and D' such that F, [N/x]A |= {[N / x\Mi){[N / x]M2) 

T U: D' and F, [N/x\A |= \[N / x\M2/ z]C2 D' . By Determi- 

nacy D = D\ and F, [N/x]A |= {[N/x]Pi){[N/x]M2) -^T ^U: D 
by Lemma 8 . 

• X ^ y. Then by Lemma 15 [N/x]Pi has head variable y, so [N/x]Pi = 
F by Lemma 14 because F, [N/x]A |= [N/x]Pi T ^ U : FIz:Ci.C2. 
We know [N/x]Pi is not an abstraction by Lemma 10 , so by Base 

F, [N/x]A 1 = {[N/x]Mi){[N/x]M2) ([iV/a:]Fi)([iV/a:]M2) : F, 

and F, [N/x]A |= {[N/x]Pi){[N/x]M2) {[N/x]Pi){[N/x]M2) : D 

— A, rj. By the induction hypothesis there is a C'l such that 

F, [N/x]A 1 = [V/a;]Ai ^ C'l, and there are U and C2 

such that P,[N/x]A,y:[N/x]Ai |= [N/x]Mq Uq: C2 and 

F, [N/ x]A, y:[N/ x]Ai |= [N/x]A2 C2- If Uq = U{x) with x ^ FV(F) 

then F, [N/x]A |= [N / x\{\y:Ai.MQ) U : Plz:Ci.C2 by y' , and other- 
wise F, [Nlx]A 1 = [Al/x](Ay:Ai.Mo) ^-n Xy.Ci.Uo: Plz:Ci.C2 by A. Fur- 
thermore, F, [N/x]A 1 = [N/x]{P[ z-.A1.A2) Plz-.C1.C2 by B. 
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— p. By the induction hypothesis there are Ti and C such that F, [N/x]A \= 

[N/x]Mi Ti: C, r,[N/x]A |= [N / x]{\y.Ai.Mo) : C, and 

r,[N/x]A 1 = [N / x\[n z'.Bi.B^) C. Also, there is a Ci such that 

r,[N/x]A 1 = [N/x]M 2: Cl and F,[N/x]A \= [N/x]Bi C\. Further- 
more, there are T, U and D such that 

r, [N/x]A 1 = [N/x][M2/y]Mo = [[N/x]M2/y][N/x]Mo ^T^U:D, 
r, [N/x]A 1 = [N/x]P ^T^U: D, and F, [N/x]A |= [N/x]B D 

Also, there is a D' such that F, [N/x]A |= [N / x][M2 / z]B2 D' . 

We know Ti = [N/x]{Xy:Ai.Mo) by Lemma 14 . By inver- 
sion C = Flz:C'i.C2 with F^ [A^/a;]Z\ |= C( and 

F,[N / x]A, z:[N / x]B2 |= [A^/a;]il2 ^ C2, so by Determinacy C\ = C(. 
By Adequacy [M2/z]B2 * B, so by Subject Reduction F, [N/x]A |= 

[N/x]B D' , and so by Determinacy D = D' . 

Finally, [N /x]{\z:Ai.Mq) = \z:[N /x]Ai.[N /x]Mq and 

[N / x][M2 / z]Mq = \\N/x]M2/ z\[N/x]Mq, so by /3 we get 

F, [N/x]A 1 = [N/x]{Mi{M2)) ^U: D. 

2 . This follows by induction on derivations that F \= M P ^ R: Flx:A' .B. 
— Var. We have y:D G F and F |= D — ?> FlxiA'.B. By inversion D = 
IIx-.D1.D2 and F, x'.Di |= D2 B. By Case 1 we know F |= [A^/a;]F2 
C for some C, and by Adequacy and Subject Reduction F |= [N/x]B 
C. 

— Base. PPM2) is not an abstraction. Hence, by Base F |= Mi{M2){N) 
Pi{M2){N) Ri{R2){S) : C, where F |= [N/x]B C hy Case 1 , 

Adequacy and Subject Reduction. 

— A, rj. We have the premisses F, x:A |= Mq : B and F |= A A'. Hence 
by Case 1 there are F, U and C such that F |= [N/x]Mq T ^ U : C 
and F 1 = [N/x]B ~^C,so F |= {Xx:A.Mo){N) -^T ^U: C hy p. 

— p. By the induction hypothesis there are F, U and C such that F |= 
R[N) ^ F ^ F: C and F 1 = [N/x\B C, so F |= Mi{M2){N) 

T ^ U : C hy Lemma 8 . 

The typed operational semantics can now be shown sound for the Logical 
Framework. 

Theorem 2 (Soundness). 

— // F h ok then there is a A such that |= F A. 

— If F \- A kind then there is a B such that F \= A ^ B. 

— If F \- A = B then there is a C such that F |= A ^ C and F \= B ^ C . 

— If F \- M : A then there are P and B such that F 1 = A — >■ F and F 1 = 

M F: B. 

— If F \- M = N -. A then there are P and B such that F |= A — ?> F, 
F 1 = M F: F and F \= N P- B. 

Proof. By simultaneous induction on derivations. We consider several cases. No- 
tice that we need to consider all structural rules at this point. 



Soundness of the Logical Framework for Its Typed Operational Semantics 



195 



— EL By the induction hypothesis there are P and B such that P \= M 

P : B and P |= Type B. By inversion B = Type, so P |= E 1 (M) E 1 (P) 

by El. 

— Var. By the induction hypothesis /o; x:A, Pi \= ok. By Subcontext Pq, x:A \= 
ok, so by inversion there is a B such that Pq \= A ^ B. Hence, by Weakening 
Pq, x:A, Pi \= a ^ B, and by Var Pq, x:A, Pi \= x ^ x ^ x: B. 

— X. By the induction hypothesis there are Pq and B2 such that P, x:Ai |= 
Mq Pq - B2 and P,x:Ai |= A2 B2- Furthermore, by Subcontext and 
inversion there is a Bi such that P \= Ai ^ Bi. We know P |= IIx:Ai.A2 
IIx-.B1.B2 by n. We then have two cases: 

• Pq = P{x) with X ^ FV(P). Then P |= \x:Ai.Mq P- nx-.B1.B2 

by r]'. 

• AxiBi.Po is not an ry-redex. Then T |= Xx:Ai.Mq Xx:Bi.Pq-. Hx-.B1.B2 

by A. 

— App-Eq. By the induction hypothesis we know that P |= Mi ^-n Pi : B, 

P 1 = A^i Pi - B, and P |= Hx-.A1.A2 B. Also, P \= M2 ^-n T2 : B[, 

P 1 = M2 P2' B[, and P \= Ai ^ B[. By inversion of P \= Hx-.A1.A2 

B we know B = Hx-.B1.B2, P \= Ai ^ Bi and P,x:Ai |= A2 B2. By 
Determinacy Bi = B[. 

By Lemma 23 Case 2 we know P |= Mi (M2) U : C and P |= [M2/a;]B2 ^ 
C, and P 1 = Ni{N2) ^-n U' : C and P |= [N2/x\B2 C . By Adequacy 
and Subject Reduction P |= Pi[P2) ^■n U : C and P |= [P2/x\B2 C, and 
P 1 = Pi{P2) U' -. C and P 1 = [P2/x]B2 C . Hence, by Determinacy 
U = U' &n<lC = C. 

Finally, we know P,x-.Ai |= A2 B2, so by Lemma 23 Case 1 P \= 
[M2/x]A2 C" . By Adequacy and Subject Reduction P |= [M2/x]B2 
C" , so by Determinacy C = C" . 

— We consider the classical substitution rule, where other structural rules 

are similar. By the induction hypothesis Pq,x:A,Pi |= M P- D with 
Po,x:A,Pi \= B ^ D, and Pq \= N Q- C with Pq \= A ^ C. 
By Lemma 23 Case 1 we know Po,[N/x]Pi |= [N/x]M R: E and 
Po,[N/x]Pi 1 = [N/x]D E for some R and E, and 

Pq, [N/x]Pi 1 = [N/x]B F for some F. By Adequacy and Subject Re- 
duction Pq, [N/x]Pi 1 = [N/x]D F, so by Determinacy E = F. 



Corollary 2 (Equivalence). 

— r h ok iffP 1= ok. 

— P \- A kind iff there is a B such that P \= A ^ B . 

— P \- M : A iff there is a B such that A \= B ^ and P \= M : B. 

— P [= A f B iff there is a C such that T |= A — > C and T |= B — t ( 7 . 

— P \= M f N : A iff there are B and P such that B |= A — > B, B |= M — 

B: B and B |= iV B: B. 

By the equivalence of the Logical Framework and its typed operational se- 
mantics, we can straightforwardly transfer the results of Church-Rosser, subject 
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reduction and strong normalization to the Logical Framework. Furthermore, as 
the typed operational semantics is sound for judgements F \- J and complete 
for judgements F h“ J, we have also demonstrated the admissibility of the 
structural rules in Section 2.2, using the trivial inclusion from F \-~ J to F \- J . 

6 Conclusions 

We have showed that the simpler proof of strong normalization developed by 
Joachimski and Matthes for the simply-typed A-calculus lifts naturally to the 
typed operational semantics for the Logical Framework. We have also given 
an elegant development of the full metatheory of the Logical Framework using 
typed operational semantics, and we have discussed the benefits of various design 
decisions that differentiate typed operational semantics from the operational 
definition of strong normalization used elsewhere in the literature. 

We believe that extending this proof technique to the Calculus of Construc- 
tions is an important project for the type theory community. Given that we have 
now demonstrated the successful use of this technique for the dependent-type 
corner of Barendregt’s cube, the most challenging outstanding problem seems to 
be studying the proof for System F. 

We would also like to prove soundness without the use of untyped reduction. 
For the simply-typed A-calculus this follows naturally, but for the Logical Frame- 
work there is a subtle interaction between application, substitution and binders 
that makes the straightforward proof technique fail. As untyped reduction plays 
no role in defining the Logical Framework, it seems natural to expect that it can 
also be removed from the metatheory. In addition to the philosophical interest 
of this question, it has practical consequences for the metatheory of systems 
where untyped reduction may not be well-behaved, for example in the Logical 
Framework with coercions [7]. 
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Intuitionistic Linear Type Theories 
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Abstract. We develop a notion of Kripke-like parameterized logical 
predicates for two fragments of intuitionistic linear logic (MILL and 
DILL) in terms of their category-theoretic models. Such logical pred- 
icates are derived from the categorical glueing construction combined 
with the free symmetric monoidal cocompletion. As applications, we ob- 
tain full completeness results of translations between linear type theories. 



1 Introduction 

Suppose that a model of Multiplicative Intuitionistic Linear Logic (MILL) - 
the propositional fragment of linear logic [12] with /, (8> and - is given. 
Also suppose that there is a property on elements of the model which is closed 
under tensor product and composition (cut) and other structural rules, and 
covers the interpretations of base types and constants. We show that such a 
property can be extended to the interpretation of all types so that it covers all 
MILL-definable elements. We also give a parallel result for Dual Intuitionistic 
Linear Logic (DILL) of Barber and Plotkin [5], which is an extension of MILL 
with the modality !. To achieve such results, we first give a suitable notion of 
such “predicates” on models of MILL and DILL, upon which we develop logical 
predicates and state the Basic Lemma. We then show that the construction 
above is an instance of our logical predicates. 

To see why we need to introduce a property closed under tensor and so on, it 
would be instructive to observe that the standard logical predicates for models 
of simply typed lambda calculus do not work well with the linear calculi and 
their models. We may have a predicate Pt Q Ah for each base type b, where A„ 
is a set in which the closed terms of type a are interpreted. As the standard 
logical predicates, we hope to define a predicate C Aa for every type a in an 
inductive way. However, we soon face a difficulty in constructing Pg-^r from Pg 
and Pg. The naive construction = {a®h \ a ^ Pg,h & Pt} makes sense but 
can miss some interesting “undecomposable” elements of Ag^g\ in particular 
assume a constant of type then its interpretation may not belong to Pg^g 

for any Pg and Pg. The same trouble appears when we construct P\g from Pg. 

We solve this problem by parameterizing the predicates on the tensor-closed 
property (in the similar way to the Kripke logical relations [2]), so that the 
parameter indicates the linearly used resource (or the linear context). Such pa- 
rameterized predicates form a model of MILL and serve as a basis for construct- 
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ing logical predicates for MILL. The problem of tensor types disappears if each 
interesting element satisfies the tensor-closed property. 

The construction is based on a few category-theoretic tools, specifically the 
presheaf construction {free symmetric monoidal cocompletion [15]) for symmetric 
monoidal categories and also a glueing {sconing, Freyd covering) construction 
[16,21] on symmetric monoidal closed categories. It is known that a setting for 
standard logical predicates can be obtained by glueing a cartesian closed category 
to Set [21,14]; ours is derived by glueing a symmetric monoidal closed category 
to the presheaf category of a small symmetric monoidal category (which specifies 
the tensor-closed property mentioned above). For DILL we further use a glueing 
construction of symmetric monoidal adjunction to accommodate the modality. 
However in this paper we leave these abstract idea rather implicit (except in 
Sect. 4) and describe all constructions concretely. 

By applying our logical predicates method, we obtain the full completeness 
of syntactic translations between linear type theories. For instance, it is an im- 
mediate corollary of the Basic Lemma that MILL is a full fragment of DILL 
(Example 3), in the sense that, for any DILL-term 0 ; A\- M : a with no ! in A 
nor (T, there always exists an MILL-term A\- N : a such that 0 ; A\- M = N : a 
holds. See Example 2 and 4 for other examples. 

Though the existing syntax for linear type theories are rather diverging, their 
semantic models are now well-established and related each other, in terms of sym- 
metric monoidal (closed) categories and adjunctions [6,8,5], and our approach 
based on such categorical models is likely to apply to many other linear type the- 
ories as well. In fact it is routine to modify our technique for non-commutative 
linear logic and monoidal (bi)closed categories (see [17]). Furthermore, by com- 
bining our approach with Hyland and Tan’s double glueing construction [23] (see 
Example 5) we can deal with a classical linear type theory (MLL). These results, 
proofs and further category-theoretic analysis are reported in the full paper [13]. 

Also it might be fruitful to adapt our method to programming languages, see 
for example the complexity-parameterized logical relation used in [11]. Another 
interesting direction is to combine our approach to other techniques of specifying 
properties of semantic categories, for instance that of specification structures [1] . 

Acknowledgements I thank Gordon Plotkin for discussions at the initial 
stage of this work. 



2 Multiplicative Intuitionistic Linear Logic 

We recall a simple fragment of intuitionistic linear logic (Multiplicative Intu- 
itionistic Linear Logic, MILL) together with the associated term calculus. The 
category-theoretic models are given as symmetric monoidal closed categories, 
for which soundness and completeness are known (e.g. [7]). See [10,8] for the 
category-theoretic concepts used in this paper. 
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2.1 SyntELx of MILL 

We briefly recall the syntax of MILL. The detail is discussed e.g. in [7]; our 
presentation is chosen so that it will be compatible with DILL (Sect. 5). A set 
of base types (write b for one) and also a set of constants are fixed throughout 
this paper. 



Types and Terms 

a ::= b\I\a^a\a a 

M ::= c(M) | a; | * | let * be M in M | M (g) M | let a; ® a: be M in M | 
Xx.M I MM 



We assume that each constant c has a fixed arity a ^ t, where a and r are types 
which do not involve . (This restriction on arity is for ease of presentation and 
not essential.) 



Typing 



c : a 



A'r M :a 



A h c(M) : T 



(Constant) 






ill) 



Ai\- M -.a A 2 \- N :t 

Ai^A2 \~M®N: (7®t 

A,x : a \- M : T , 
A h Xx.M : a t 



51 ) 



(Variable) 



I) 



X : a \- X : a 

Ai'r M -.1 Z\2 h V : g 
Ai^A 2 h let * be M in V : (T 

Ai \- M : a ® T 
A 2 , X : a, y : T \- N : 9 
zdit|Z \2 h let a: (8> y be M in V : 0 

Ai \- M : a t A 2 \- N : a 
Z\it|Z \2 h MN : r 



(/E) 

(®E) 

( E) 



where Z\it|Zi 2 is a merge of A\ and A 2 (this notation is taken from [5]). We note 
that any typing judgement has a unique derivation. 

Axioms 



let * be * in M = M let * be M in * = M 

let a; (8> y be M (g) A in L = L[M/a;, N/y] let a; (g) y be M in a; (g) y = M 
{Xx.M)N = M[N/x] Xx.Mx = M 

C[let = 1 = be M in A] = let * be M in C[N] 

(7[let a: ig) y be M in A] = let X (g y be M in C[A] 

In the above C[—\ indicates a (well-typed) context - we assume suitable condi- 
tions on variables for avoiding undesirable captures. The equational theory of 
MILL is defined as the congruence relation on the terms with typing judgement 
generated from these axioms. 
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2.2 Semantics of MILL 



Let C be a symmetric monoidal closed category with tensor product (8>, unit 
object / and exponent . Assume that there is an object |5] for each base type 
b and an arrow |c] : |cr] |t] for each constant c: a ^ t, where |(t] is defined by 
|7] = 7, |(T(8)r] = |(t](8)|t] and |(7 t] = [u] |rj. For each typing judgement 
A\- M : T, we define its interpretation |Z\ h M : r] : || A|] |t] in C as follows, 

where |Z\| = (. . . (|cri] |(T21) ■ ■ ■) ® lunl for A = xi : (Ti, *2 : 0 - 2 , . . . , : (t„. 

[ZihMicr] fg| 

[Z\hc(M):rl = I|A|l ^ H M H 

I* : cr h a; : cr] = |cr] |ct] 

|h * : 71 = 7 ^ 7 
|ziit|Z \2 h let * be M \n N : aj = 

_ [zllhM:/](g)[Zi2HAr:(7] 

I|ArttA2|l^I|Ai|l®[|zi2|l ^ 



|Ait|Z \2 h M (g )77 : (7 (g) t] = 



||Z\it|Z\2|] ^ 11^211 



[ZiihM:(T]®[Zi2HAr:T] 

^ ® [tI 



|Z\it|Z \2 h let a; (8> y be M in : d] = 

[ZiihM:cr(g)T]ig)idf|2i,|i 

I|Z\rttZ\2|l^I|zii|l®I|Z\2|l ^ 

^ IA 2 ,x:<T,y:T\-N: 6 j 

(H 8) H) ® II A 2 I] ^ il\A 2 \l ® H) ® [r] ^ 

[Z\ h Aa;.M : o- r] = [|Z\|] ^ Icr] [r] 

[Z\iHZ\2hMiV:rl = I|Z\illZ\2|l4 

[ZiihMrcr r]®[Zi 2 HAT:cr] 

[|Z\r|l®[|A2|l ^ (H 



where denotes a (uniquely determined) canonical isomorphism. We write ev 
for the counit of the adjunction — (g) C H C — , and A{f) : A ^ C B for the 
adjoint mate oi f : A^ C ^ B. 

Proposition 1. This semantics is sound and complete. □ 



3 Logical Predicates for MILL 

We introduce parameterized predicates on objects of a symmetric monoidal 
closed category, and show that such predicates give rise to another symmetric 
monoidal closed category. We then define the logical predicates as type-indexed 
families of the predicates (inductively determined on the type structure), and 
state the Basic Lemma. We also give the canonically determined logical pred- 
icate which is used in showing full completeness of translations between linear 
type theories. We conclude this section by sketching the generalization to logical 
relations. 
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3.1 Co-Predicates 

Let Co be a small symmetric monoidal category, Ci a locally small symmetric 
monoidal closed category and I be a strict symmetric monoidal functor from Co 
to Cl- 

Definition 1. An Ohi{Co) -indexed set P = {P(X)}xeCo « Co-predicate on 
^ £ Cl when 



We may intuitively think that Ci(IX, A) represents the set of proofs of a se- 
quent X \- A, and Co (imported into Ci via I) determines a property on proofs 
which is closed under tensor, composition and structural constructions. Unlike 
the traditional non-linear calculi and logical predicates over them, we explicitly 
state the “resource” X, which plays some significant role in our work. Then, for 
a Co-predicate P on A, P{X) is a predicate on the proofs oi X \- A. The second 
condition tells us that P is stable under the change of resource along a proof of 
X \- Y, provided that it satisfies the property Co. 

Definition 2. Define the category of Cq - predicates CoPRED as follows: 

— an object of CoPRED is a pair (P, A) where P is a Co-predicate on A G Ci; 

— an arrow from {P, A) to {Q, B) is an arrow ft, £ Ci {A, B) such that g £ P{X) 

implies ho g ^ Q[X). □ 

Definition 3. For Co-predicates P on A andQ onB, define Co-predicates P 
on A<Si B and P Q on A B as follows. 



The definition oi P ^ Q above is derived from a few category-theoretic tools, 
which will be explained in Sect. 4; for now, we shall give a proof-theoretic ex- 
planation. A sequent X \- A^ B can be derived as 



P{X) C Ci(IA, A) for X e Co, and 

for f £ Co(X, Y), g £ P{Y) implies golf e P{X). 



□ 




□ 




where X \- Y Z splits a resource A to U and Z which are used to prove A 
and B respectively. In general, such a splitting of resource is not unique, so we 
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consider all possible cases such that (i) the proof Ilf of the splitting satisfies the 
“tensor-closed property” Co and (ii) the proofs Ilg ot Y \- A and Ilh of Z \- B 
satisfy the predicates P(Y) and Q{Z) respectively - in such cases we say that 
the derivation satisfies the property {P ® Q){X). 

The definition of P Q is in spirit the same as the usual definition of 
logical predicates; M : A ^ B satisfies P Q if and only if MN : B belongs 
to Q for any N : A satisfying P. However, since our type theory is linear, we 
have to deal with the resources of terms linearly, and we explicitly state them 
in the definition: intuitively, A \- M : A B satisfies P Q if and only if 
A, A' h MN : B satisfies Q for any A' \- N : A satisfying P. 

Lemma 1. For each X,A € Co define P^(X) = {1/ | / £ Co(X, H)}. Then 

- is a Cq - predicate on lA. 

- f : (Pa,M) (Pb,IP) in CoPRED iff f = Ig for some g € Co(A,B). 

- Pa(S>Pb =Pa^b- □ 



Proposition 2. CqPRED forms a symmetric monoidal closed category by the 
following data: the unit object is (Pj,/), tensor is given by {P, A) (Q,B) = 
{P®Q^A®B), and exponent (P,A) (Q,B) = {P QiA B). Moreover 

P extends to a strict symmetric monoidal functor from Co to CoPRED which 
is full. □ 



Remark 1. If Co is closed and I preserves exponents strictly, then so is P - in 
particular we have Pa b=Pa P_b- □ 

Example 1 (Subsconing). If Co is equivalent to the one object one arrow cate- 
gory, a Co-predicate on A is just a subset of Ci(/, H), thus is a predicate on the 
global elements of A. For predicates P on H and Q on B, we have 

P ® Q = {(5 i8) h)o ~ \ g € P,h e Q} 

P <3 = {/ G Ci(/, H P) I ev o (/ (g) g)o Q for any g € P} 

where ~ indicates the canonical isomorphism I A- I ^ I. Following [21] we call 
this category of predicates the subsconing of Ci and write Ci for it. □ 

3.2 Logical Co-Predicates 

Suppose that we have Co, Ci and I : Co ^ Ci as before. Also we fix an inter- 
pretation |— ]i of MILL in Ci. 

Definition 4. A type-indexed family {Pa-} is a logical Co-predicate if 

— Pa- is a Co-predicate on 

— Pi = Pi, Pa^r = Pa® Pt, Pa r = Pa Pr , and 

— |c]i : {Pa, IctJi) -a {Pr, |t]i) for each constant c : a ^ t. 



□ 
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Note that a logical Co-predicate is determined by its instances at base types. 
Given a logical Co-predicate {Pa}, we can interpret MILL in CoPRED by |6] = 
{Pb, I^li) for each base type b and [c] = |c]i : {Pa, |(t 1 i) {Pr, [r]i) for each 
constant c : a ^ t. Thus we have 

Lemma 2 (Basic Lemma for MILL). Let {Pa} be a logical -predicate. 

Then, for any term A \- M \ t , {A \- M \ t\i ■. (P|zi|, ||4i|]i) ^ 

holds. □ 

Co itself determines a logical Co-predicate in a canonical way, provided that 

— for each base type b there is an object |6]o £ Co, and 

— for each constant c : a ^ t there is an arrow |c]o £ Co(|(t]o, Mo) 

where |cr]o is defined inductively by |/]o = I and |<tG)t]o = |o‘]o'8)|'r]o. Then we 
automatically have an interpretation |— ]i in Ci determined by |6]i = I(|6]o) and 
|c]i = I(|c]o). Now define the canonical logical <Co-predicate {P^} by = P[b]o • 
Basic Lemma for the canonical logical Co-predicate implies that, at -free types 
(at any types if Co and I are closed) a definable element is in the image of I. 



3.3 Binary Logical Co-Relations 

It is straightforward to generalize (or specialize) our logical predicates to multiple 
arguments, i.e. logical relations, in the same way as demonstrated in [ 21 ]. Here we 
spell out the case of binary ones. Suppose that Co is a small symmetric monoidal 
category, Ci and C2 are locally small symmetric monoidal closed categories and 
that Ii : Co ^ Ci and I2 : Co ^ C2 are strict symmetric monoidal functors. A 
binary Co-relation is just a Co-predicate obtained by replacing Ci by Ci x C2 
and I by (Ii,l2) : Co ^ Ci x C2. Explicitly: 

Definition 5. An Obj (Co) -indexed set R = {i?(A)}xeCo « Co-relation on 
{A, B) £ Cl X C 2 when R{X) C Ci(IiA, A) x C 2 (l 2 Ai, B) for X £ Co, and, for 
f £ Co(A, Y), {g, h) £ P{Y) implies {g o Ii/, h o I2/) £ P{X). □ 



Definition 6. Define the category of <Cq - relations CoREL as follows: an object 
o/CoREL is a triple {A, B, R) where R is a <Co-relation on {A, B); and an arrow 
from {A, B, R) to {A' , B' , R') is a pair {h £ Ci(A, A'), k £ C2(B, B')) such that 
(/, g) £ R{X) implies {ho f,k o g) g R'{X). □ 



Proposition 2 tells us that CoREL is a symmetric monoidal closed category. More 
explicitly, for Co-relations R on {A, B) and R' on {A' , B'), we have Co-relations 
R® R' on {A® A' , B <S> B') and R R' on {A A' , B B') as follows. 



{R®R'){X) 
{R R'){X) 



((5(8)5') oil/, (h(8>h') 0I2/) 



£ Co / £ Co{X, Y^Z), 
{g,h)&R{Y),{g',h')&R'{Z) 



if, 9) 



VY £ Co (a, b) £ R{Y) implies 

(ev o (/ (g) a), ev o (5 (g) b)) £ R'{X (g) Y) 



Now fix interpretations |— ]i and |— ]2 of MILL in Ci and C2 respectively. 
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Definition 7. A type-indexed family {Ra-} is a logical Co-relation if 

- Ra is a Co-relation on [o'] 2 ), 

- R[{X) = {{lif,l2f)\ f eCo{X, I)}, Ra^T=Ra 'Si Rt, Ra r = Ra Rrttnd 

- (Icli, [c| 2 ):(Io']i, |cr] 2 , |r] 2 , -Rr) for each constant c.a^T. □ 

Lemma 3 (Basic Lemma, binary version). Let {Ra\ be a logical Co-relation. 
Then, for any Z\ h M : r, (|zi h M : rji, |zi h M : r] 2 ) : ([|^lli, ||/4|l2, R|zi|) 
{ItIi, {t 12 ,Rt) holds. □ 

4 Categorical Glueing 

We sketch the categorical glueing constructions used in our development; the 
detailed category-theoretic analysis is found in [13]. 

We write (ID) f F) for the comma category [19] (or the “glued category”) of a 
functor r : C ^ B. An object of (B j, C) is a triple (D G B, C” G C, / : D — )■ FC). 
An arrow from (D,C,f) to {D' ,C , f) is a pair (d : D ^ D',c : C C) 
satisfying Fco f = f o d. We note that there is a projection functor p : (B j, 
F) ^ C given by p{D, C, f) = C and p{d, c) = c. 

Lemma 4. Suppose that C and B are symmetric monoidal closed categories and 
that F : C ^ B is a symmetric monoidal functor. Moreover suppose that B has 
pullbacks. Then the comma category 5 = (B j- R) can be given a symmetric 
monoidal closed structure, so that the projection p : Q ^ C is strict symmetric 
monoidal closed. 

Proof (sketch). We define the symmetric monoidal structure on Q by 

Iq = (dn, dc, mi) 

{D, C, f) S {D', C, f) = {D®D’,CS C, mc.c ° (/ ® /')) 

(d, c) S {d', c') = {d®d',cS c') 

where m/ : /d FIc and mc,c '■ FC S FC F{C S C) are the coherent 
morphisms of the symmetric monoidal functor F . Exponents are defined as 



{D,CJ) 


{D',C,f') = {{D D')xd 


re r{c 


C), c 


which is given by the following pullback in B. 






{D 


D') Xjj 


re r{c C) — 


— F{C 


C) 






1 




A(revc,c 




7Ti 




FC 


FC' 










f FC 




D 


^ n f 


— ^ D 


FC 



□ 
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This result seems to be folklore. Notice that the glueing functor F does not have 
to be strong. 

^op 

In the situation of the last section, by letting T : Ci ^ Set » be the 
fnnctor which sends X to Ci(I— ,X), we obtain the setting for the category of 

^op 

Co-predicates. The symmetric monoidal closed structnre of Set » is given by 



/ X,Y 

FX X GY X Co(-, X^Y) and (F 

G)(— ) = Set‘^0 (F(=),G(— (8> =)) (see [15]), for which F becomes symmetric 
monoidal. For describing the predicates, we are interested in the full subcategory 

^op 

of the glued category whose objects are subobjects in Set » . This is precisely 
the category CqPRED, which is again symmetric monoidal closed; the definition 
of nnit and tensor are patched in the obvious way (this is possible because Set^» 
admits epi-mono factorization), resulting the concrete descriptions in Sect. 3. 

Lafont has shown that, using the glueing for cartesian closed categories, a 
small cartesian category fully and faithfully embeds to the cartesian closed cat- 
egory freely generated from the former [16]. We can use CoPRED for showing a 
parallel result: 



Example 2. Let Co be a small symmetric monoidal category and Ci be the sym- 
metric monoidal closed category freely generated from Cq. Then the embedding 
I : Co ^ Cl is full faithful. Faithfulness is easily shown by constructing a sym- 
metric monoidal closed category to which Co faithfully embeds. Fullness follows 
from the commutative diagrams 



Cl 




where P* is the uniquely determined strict symmetric monoidal closed functor 
making the npper triangle commute, and the right triangle commutes because 
of the universal property of I. Since both P and p are full, so is I = p o P. □ 

Syntactically, this implies that the I, (8>-fragment of MILL is full in MILL; we 
can show it by applying the Basic Lemma to the canonical logical predicate 
(where Co is the term model of the /, (8>- fragment ) , which in fact is a concrete 
reworking of Example 2. 

For interpreting the modality ! of DILL in the following section, we will need 
to determine a symmetric monoidal adjunction between the glued categories: 
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F' F', 

Lemma 5. Suppose that Cj , ^ ^ Co and B] , ^ ^ Bo are (symmetric monoidal) 

u u' 

adjunctions, with (symmetric monoidal) functors Fi : <C\ ^ Bi and F2 : C2 ^ 
B2 together with a (monoidal) natural isomorphism t : IFF2 ~ FiU. For Q\ = 
(Bi Fi) and Q2 = (B2 F2), there are functors T \ Q\ ^ Q2 and 14 : Q2 ^ Gi 

given by 

T{D, C, f) = {F'D, FC, ac o F'f), F{d, c) = {F'd, Fc), 

U{Y, X, g) = {U% UX, Tx o U'g), U{y, x) = {U'y, Ux) 

where ac = s'r^FC ° ° '■ F'FiC F2FC (rj is the unit of F U 

and e' is the counit of F' H U' ). T is (strong symmetric monoidal and) left 
adjoint to U. Moreover the projections pi Gi ^ Ci and P2 '■ G2 ^ C2 give a 

F' F' 

map of adjunction [19] from G\ < ^ G2 to Ci . ^ C2. □ 

u u 

5 Dual Intuitionistic Linear Logic 

Now we enrich our logic and calculus with the modality !. There are many 
possible choices for this, see for instance [7]. Here we choose the formulation 
due to Barber and Plotkin, called Dual Intuitionistic Linear Logic (DILL) [5] 
for its simple syntax and equational theory, as well as for the well-established 
category-theoretic models of DILL in terms of symmetric monoidal adjunctions. 
Alternatively we could use Benton’s Linear Non-Linear Logic (LNL Logic) [6] 
which has essentially the same class of category-theoretic models as DILL. In 
DILL a typing judgement takes the form F ■, A \- M : a in which F represents an 
intuitionistic (or additive) context whereas Z\ is a linear (multiplicative) context. 

5.1 SyntELx of DILL 
Types and Terms 

a ::= 6 |I|(T( 8 )cr|(T a \ \a 

M ::= c(M) \ x \ * [let =1= be M in M | M (g) M | let a; ( 8 > a; be M in M | 
Xx.M I MM I \M I let \x be M in M 



Typing 



T F : Ah M :a 



F ; Ah c{M) : r 



(Constant) 






r ■ %h*-.i 

r ■ Axh M -.a F ■ A2h N -.T 
F ; A1UA2 h M ® N : a ® T 
F ; A, X : a h M ■. T 



( 01 ) 



(Variableii 



F 



F ; X ■. a h X : a 

Aih M ■. I F A2h N : a 



; A1UA2 h let >1= he M in N : a 

r ; Ai h M : a 
F ; A2, X ■. a,y : T h N ■. 6 



( I) 



F ; Ait|A2 h let a; ( 
F ; AihM : a 



) y be M in N : d 
F ■ A2h N -.a 



(IE) 

(0E) 

( 



E) 



F ■ Ah Xx.M : a 



T 



r ; A4A2 h MN : r 
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Fi,x ■. a, F 2 ; 0 h a; : cr 



(Variableint) 



F-0hM-a F-,A^hM:\a F, x ■. a ; A 2 h N ■. t 

F ; 0 HM :!(j ’ F ; ZiitlZia h let \x he M \n N ■. t 



Axioms 

M 
M 
M 
M 

C[let = 1 = be M in A] = let * be M in C[N] 

C[let a: (g) y be M in A] = let X (?) y be M in C[A] 

C[let !x be M in A] = let !x be M in C[A] 

where C[—\ is a linear context (no ! binds [— ]). 



let * be * \n M = M 
let X (8> y be M (g) A in L = L[M/x, A/y] 
(Ax.M)A = M[A/x] 
let !x be !M in A = A[M/x] 



let be M in * 
let x(g)ybeMinx(8)y 
Xx.Mx 
let ! X be M in !x 



5.2 Semantics of DILL 

Let C be a cartesian category (category with finite products), D a symmetric 

F, 

monoidal closed category and CAIIB a symmetric monoidal adjunction; we 

u ^ 

understand that the symmetric monoidal structure on C is given by (a choice 
of) the terminal object and binary product. Assume that there is an object 
|6] £ E) for each base type b and an arrow |c]] G D(|c7], |rj) for each constant 
c: a ^ T, where |cr] G B is inductively defined by |J] = I, |cr ® r] = |cr] (g |r], 
\(j r] = |cr] |r] and |!cr] = AC/|cr]. For each typing judgement F ■, A \- 
M : a, we define {F ; Z\ h M : cr] : ||P ; A|] — >• |r] in B as follows, where 
\F ; A\ = |!L, A\ in which IF = xi dci, . . . , x„ :!(t„ for F = x\ \ ci, . . . , x„ : Un- 
First eight cases are dealt with as in MILL, with care for discarding or duplicating 
the intuitionistic context, using 

discardr,zi : l\F ; Z\|] ^ ||Z\|] 

: 11^ ; ^ l\r ; Z\i|l g l\F ; 

which are defined in terms of projections and diagonal maps in C and imported 
into B via F. For last three cases we have 

lA, X : cr, T 2 ; 0 h X : cr] = 

II A, X : a. All 4 F(. . . X Ufaj x . . .) ^^ FUfaj 4 H 
IF ; 0 h!M :!al = l\F ; 0|1 4 (g),FC/[ail (g), FC/FC/Ia,| ^ 



X ^ 5 V/l irj .or II 

FC/((g).FC/Ia,l)^FC/[A; 0|1 ^ FUlaj 

IL ; Ai^A 2 F let !x be M in A : r| = 

split l-T ; ZiihM:!cr]ig)icZ 

[A ; ^itl^2ll 1 [A ; ^ill ® lA ; ^2!] 1 

^ lr,x:<7 ; A2^N:tJ 

Per] g [A ; ^2|1 ^ IlAa; : o- ; ^2|1 S- [t] 
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where proj is a suitable projection in C, e and S are the counit and comultipli- 
cation of the comonad FU while m is an induced coherent morphism. 

Proposition 3. This semantics is sound and complete [5]. □ 



5.3 Logical Predicates for DILL 

Consider the following commutative diagram of functors 

Co Bo 

I J 

Cl — — Bi 

in which Co and Ci are cartesian categories, Bo symmetric monoidal and Bi 
symmetric monoidal closed; and Fq, F\ are strong symmetric monoidal while I, 
JJ are strict symmetric monoidal. Moreover assume that F\ has a right adjoint 
U 1 : Bi — y Cl . 

As in Sect. 3, we define the categories of Co- and Bo-predicates - let us 
call them CoPRED and BoPRED respectively. Note that CoPRED is a cartesian 
category with products given by (P x Q){X) = {{f,g) \ f £ P{X),g G Q(X)} 
for Co-predicates P and Q (which coincides with P ^ Q in Definition 3). 

Now we give functors between CoPRED and BoPRED. For a Co-predicate P 
on A G Cl, define a Bo-predicate L{P) on FiA G Bi by 

L{P){Y) = {Fig o J/ I G Co / G Bo(F, Fo^), g G P{X)} 

and, for a Bo-predicate Q on B G Bi, a Co-predicate Fq{Q) on UiB G Ci by 

MQ){X) = if* G Ci{lX,UiB) I / G Q{FoX) C Bi(JFoX,P) = Bi(FiIX,P)} 

where /* : IX U\B is the adjoint mate of / : FiIX B. 

Proposition 4. L and Fq extend to functors between CoPRED and BoPRED. 
Moreover L is strong symmetric monoidal, and left adjoint to Fq. □ 

Therefore we have a symmetric monoidal adjunction between a cartesian cate- 
gory CoPRED and a symmetric monoidal closed category BoPRED. Let ! be the 
induced comonad on BoPRED, that is, we define a Bo-predicate IP on FiUiA by 

{IP){Y) = {Fig* of! f I 3X G Co / G 3o{Y,FoX),g G P{FqX)} 

for a Bo-predicate P on A. These are derived from a category-theoretic construc- 
tion (left Kan extension [19] gives a left adjoint of (— ) o Fq : Set®“ ^ Set‘^“ ) 

Fi o o 

together with Lemma 5 (for glueing Ci . x ^ Bi to Set^o , ^ ^ Set®« ), but here 

Ui {A^Fo 
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let us motivate \P more intuitively. A sequent 0 ; Y \~IA can be proved as 



n„ 



nf : 

: A ; 0 h A 

0 ; r h!A A ; 0 h!A 
0 ; r h!A 



(!I) 

(!E) 



where 0 ; Y h!A converts a linear resource Y to !A which is used non-linearly 
in A ; 0 h!A to produce \A. Taking all such possible cases into account, we say 
that the proof satisfies {\P)(Y) when Ilf belongs to Bo and Ilg satisfies P{X). 



Now let us fix an interpretation |— ]i of DILL in Ci ’ 



Fi, 

, _L ^ 



Definition 8. A type-indexed family {Pa} is a logical (Co Bo)-predicate if 



— Pa is a J^Q-predicate on 

— P/ = P/, Pa®T = Pa ® Pt, Pa t = Pa Pt CLnd P\a =\Pa hold, and 

— |c]i : {Pa, Icji) {Pt, |f]i) for each constant c: a ^ t. □ 

Lemma 6 (Basic Lemma for DILL). Let {Pa} be a logical (Co ^ ®o)- 
predicate. Then, for P ; A\- M : t, {P ; A h M : r]i : {P\p ■ a\, [|d^ ; ^11 1 ) ^ 
{Pt, ItIi) holds. □ 



(Co ^ Bo) itself determines the canonical logical (Co ^ B>q) - predicate when 

— for each base type b there is an object |6]o S Bo, and 

— for each constant c : a ^ t there is an arrow |c]o S Bo(|cr]o, |f]o) 

where |(t]o is defined inductively by |/]o = I and |cr t]o = l^lo ItJo- In 
such cases we automatically have an interpretation |— ]i in Bi determined by 

|6]i = JJ(|6]o) and |c]i = J(|c]o), and the canonical logical (Co ^ Bo)-predicate 
{P;} is determined by P^ = P[b]o . 

Example 3 (From MILL to DILL). Let Bo be the term model of MILL and Co 

Fi 

equivalent to the one object one arrow category, and CiCZBi be the term 

Ui 

model of DILL with the same base types and constants. Applying the Basic 
Lemma to the canonical logical (Co ^ Bo)-predicate it follows that MILL is a 
full fragment of DILL; note that Po- t = ^a holds for !-free types a and 

T (see Remark I). □ 

Example 4 (From action calculi to DILL). Suppose that Co ^ Bo is the term 

Fi 

model of an action calculus [20,22] and C] . ^ ^ B] is that of the corresponding 

Ui 

DILL (alternatively the LNL Logic of Benton [6]), with I and J induced by the 
translation from the action calculus to DILL. If we have only non-parameterized 
constants, Basic Lemma applied to the canonical logical predicate implies that 
the translation is full. In fact we can deal with parameterized constants (control 
operators) as well (see [13]), so together with the conservativity [4] we have the 
full completeness of DILL (LNL) over (static) action calculi. □ 
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6 Related Work, Further Work 

6.1 Categorical Logical Predicates 

Our treatment of logical predicates in category-theoretic framework is inspired 
by Hermida’s work on fibrations and logical predicates [14], and also influenced 
by Mitchell and others’ work, in particular [21]. However, all these results are for 
typed lambda calculi. Blute and Scott [9] do consider a linear variant, and the 
intuition behind their work seems close to ours, though their work is on classical 
linear logic and better understood in connection with Tan’s recent work (see 
below). We also note that Ambler [3] has studied some relevant idea. The fact 
that our construction yields (bi)fibrations has some significance in our glueing 
constructions; we leave this categorical analysis to the full paper [13]. 



6.2 Classical Linear Type Theories 

So far we have only considered “intuitionistic” linear type theories. It is natural 
to expect that our construction works equally well in the settings with duality, 
i.e., classical linear theories. Here is a relevant construction explored by Tan: 

Example 5 (Double Glueing). An attractive use of categorical glueing is devel- 
oped in Tan’s thesis [23]. Let C be a ^-autonomous category (typically a com- 
pact closed category). Because of the duality, C°p is also ^-autonomous and 
we have subscones (Example 1) C and C°p with projections pi : <C ^ <C and 
P 2 '■ C°P ^ C°P. Hyland noticed that the category GC obtained by the following 
pullback is a ^-autonomous category. 



GC c°P 



P2 



c 



c 



Explicitly, GC’s object is a triple A = (|A| G C, As C C(/, |A|), A^ C C(|A|,/)) 
and an arrow f : A ^ B in GC is an arrow / : | A| \B\ in C satisfying foa £ Bg 
for a G As and also b o f G At for b € Bt (this generalizes Loader’s “linear 

~ — op 

logical predicates” [18]). The duality between C and C°p induces a duality on 
GC which determines a ^-autonomous structure. Tan calls this construction a 
double glueing, from which she has obtained various full completeness results for 
multiplicative linear logic (MLL). □ 

In fact it makes sense to replace the subscones in double glueing by CqPRED for 
some suitably chosen symmetric monoidal category Cq. Using this we can derive 
a notion of logical predicates for MLL and, for example, can show that MILL is 
a full fragment of MLL. See [13] for an exposition. 
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Abstract. We define a notion of polarization in linear logic (LL) com- 
ing from the polarities of Jean-Yves Girard’s classical sequent calculus 
LC [4]. This allows us to define a translation between the two systems. 
Then we study the application of this polar ization constraint to proof- 
nets for full linear logic described in [7] . This yields an important simpli- 
fication of the correctness criterion for polarized proof-nets. In this way 
we obtain a system of proof-nets for LC. 



The study of cut-elimination takes an important place in proof-theory. Much 
work is spent to deal with commutation of rules for cut-elimination in sequent 
calculi. The introduction of proof-nets (see [7] for instance) solves commutation 
problems and allows us to define a clear notion of reduction and complexity. 

In [4], Jean-Yves Girard defines the sequent calculus LC using polarities. LC 
is a refinement of LK with a deterministic cut-elimination. J.-Y. Girard leaves 
open the following problem about the syntax: 

“Find a better syntax (which would be to LC what typed X-calculus is to LJ) 
for normalization [■■■]■ A kind of proof-nets could be the solution, and the fact 
that proof-nets are not available for full linear logic could be compensated by the 
fact that only certain linear configurations are used. ” 

In this paper we address this problem but the situation is now slightly differ- 
ent since proof- nets for full linear logic are given in [7] . In these proof- nets, the 
boxes for additives are replaced by weights on the nodes giving less sequential- 
izatio n information. To use these proof-nets, we will first define a translation 
from LC to the fragment LLP of LL defined by restricting to polarized formu- 
las. The “particular linear configurations” of LC correspond to the polarization 
of LLP. 

We then turn to the study of proof-structures for LLP and show that the 
restriction to polarized formulas induces a natural orientation, the orientation 
of polarization, which is respected by the paths of LL’s correctness condition 
(Orientation Lemma). This yields a striking simplification of the correctness 
condition which allows us to get rid of the notion of switches. In particular it 
turns out to be cubic in the size of polarized proof-nets whereas the LL condition 
is immediately seen to be exponential. 



J.-Y. Girard (Ed.): TLCA’99, LNCS 1581, pp. 213-227, 1999. 
{© Springer-Verlag Berlin Heidelberg 1999 
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1 Classical Logic: LC 

Gentzen’s classical sequent calculus LK has well known problems, such as the 
lack of a denotational semantics and the non determinism of cut-elimination. 
J.-Y. Girard proposed in [4] the calculus LC as a refinement of LK to solve 
these defects . The key point is the introduction of polarities for formulas. Let 
us just remind the syntax. 



1.1 Formulas and Polarity 



The formulas of LC are built from the atomic formulas and the constants V 
and F by using the connectives A, V, -i, 3 and V. For each formula, we define its 
polarity: atomic formulas, V and F are positive; a s for the compound formulas 
we use the following table: 



AB 




A A B Av B ~^A 3xA MxA 




In the sequel, P and Q will stand for positive formulas and N and M for 
negative ones. 



1.2 Rules of the Sequent Calculus LC 

To limit the number of rules, we will use one-sided sequents. The formulas will be 
defined modulo the De Morgan’s laws. The sequents for LC are written \- F; II 
where F (the body) is a multi-set of formulas and II (the stoup) is either empty 
or a unique positive formula. 

Then the sequent calculus is defined by the following rules: 

h F; P h Zl; 7J h F, N] h A] B 
h ^F;F h F, Z\; iJ h F, Z\; iJ 



hF;F hF;7J A F, A, A-, B 
h F,F; A F, A- B \- F,A-,B 



hF;F AA;Q 
A F,A;P A Q 



h; F h F, ^F; B 
hF;F hZ\,Af; b F, M; A A-,Q 
A F,A;P AN A F, A- M AQ 



A F,M-,B h F, iV; iJ 
A F,M AN; B 



AF,A,B;B 
h F,AVB;B 

A F, A; B 
A F, ViA; B 



V B negative 
X ^ F,B 



A F;P 
A F;PVQ 

bF,iV[V,]; 
h F;3xN 



bF;g 

h F;PVQ 

br;F[V,] 
h F; 3xP 
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2 Linear Logic with Polarities 

We can give a translation from LC to LL nsing the definition of the denotational 
semantics described in [4], More precisely, we will define a polarized fragment 
of LL and we will show in which way it corresponds to LC. We start with the 
defin ition of two polarized fragments of LL. 

The first notion of polarization for LL splits the connectives into reversible 
and non reversible ones. 

Definition 1 (Polarized formula). We define in the same time the positive 
(denoted by P, Q) and negative (denoted by M, N) formulas, starting from a set 
of atoms (denoted by A, B): 

P ::= lA I I P0P I 3xP | 1 | 0 | !iV 

N ::= 7A^ \ N ^ N \ N k N \ \/xN | ± | T | ?P 

A polarized formula is either a positive one or a negative one. 

The second notion of polarization is more precise and corresponds to LC’s 
polarities. It will be used for studying translations between LC and LL. 

Definition 2 (Strictly polarized formula). We define in the same time the 
strictly positive (denoted by V, Q) and strictly negative (denoted by A4, N) 
formulas, starting from a set of atoms (denoted by A, B): 

V ::= lA I P0P I P^IA/" I \ V ®V \ 3xV \ 3x\N \ 1 | 0 

M ::=1A^\M^ \ N \M kM\^xN\^xlV \ ± | T 

A strictly polarized formula is V, M , ?P or \M . 

Definition 3 (LLP and LLPc). The fragment LLP (resp. LLPq) of LL is 

obtained by restricting to polarized (resp. strictly polarized) formulas and by 
adding the constraint that the T -rule must introduce at most one positive for- 
mula. 

LLPc is a fragment of LLP (strictly polarized formulas are polarized) so 
all the results we will prove on LLP (about proof-nets,. . . ) will be also true for 

LLPc. 

The constraint on the T -rule is needed in particular for the next proposition. 

Proposition 1. If \- P is provable in LLP then P has at most one positive 
formula. 

3 Translations between LC and LLPc 

We now prove the similarity of the two systems by defining two translations 
between LC and LL. More precisely these translations show that LC and LLPc 
are almost isomorphic. 
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Definition 4. is the fragment of LC which refuses: 

— structural rules on negative non atomic formulas; 

— negative non atomic formulas in the context of the negative premise of: 

• negative cut-rule, 

• ®-rule between a negative and a positive formula, 

• 3-rule on a negative formula. 

Every proof of LC can be transformed into a proof of LC™'' by commuting 
some reversible rules with structural ones so we have no loss of provability in 
LC™''. A study of these commutations of reversible rules has been done in a 
similar case by M. Quatrini and L. Tortora de Falco in [9] for translation of 
into LL. 

3.1 LC'^'^'' LLPc 



Definition 5. 

formulas by: 



The translation G G* 


from LCF^'’ into LLPc 


A* 


!A 


hpy 


= P*^ 


V* 


= 1 


F* 


= 0 


(FAQ)* 


= P*®Q* 


(NAM)* 


= N* kM* 


{PAN)* 


= P* ® \N* 


{NAP)* 


= \N* (g) P* 


{3xP)* 


= 3xP* 


{3xN)* 


= 3x\N* 



Given a sequent of LC, we can split the body into two parts: positive for- 
mulas and negative formulas, h E ; iJ = h F~ , U . Then we can define the 
translation on sequents: (h F~ , F'^; FI)* = h F~* , 7{F'^)* , II* . 

The translation of proofs is defined rule by rule by introducing promotion rules 
on the negative premise before negative cut, before A between a positive and a 
negative formula and before 3 for a negative formula. For example here is the 
case of the negative cut: 

hF~,F+,N-, A ^N,A~,A+-n 
h F-,A~,F+,A+-,n 



h F~\7{F+)*,N* 

h ?(E+)*, IN* h ?(-iV)*, A-\7{A+)*,n* 
h F~' , A-' ,7{F+)* ,7{A+)* , n* 



Remark 1. An empty stoup corresponds to a IF context in LL, i.e. to a correct 
context for promotion. 

LC accepts structural rules on non atomic negative formulas which are not 
translated by IG formulas in LL. A solution is to add the constraints of LC®'' 
to LC as we have done, but another one is to introduce cuts for the translation 
of these rules. This has been done with linear isomorphisms in Danos-Joinet- 
Schellinx [1]. 
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3.2 LLPc 

Definition 6. The translation G G* from LLPq into is defined on 

strictly polarized formulas by: 



(!AY 


A 


(WY 


= M* 


1* 


= V 


0* 


= F 


(P 0 QY 


= p* A Q* 


{P0QY 


= V*\/ Q 


(P 0 !AfY 


= P* aM* 


{W0PY 


= M* A P" 


(3xPY 


= 3xP* 


{3x\J\f)* 


= 3xAf* 



(fP^Y = -iP* 



By Proposition 1, a sequent \- P of LLPq can be written \- P' , II where U 
is the unique strictly positive formula of P (if it exists). Then the translation 
is given on sequents by: (h r',IlY = 1“ P'*;!!*. There is no problem for the 
translation of proofs, we just have to precise the translation of the promotion 
rule: 



7T \ 

h 

yi- IP, wj 






Remark 2. This particular translation corresponds to the fact that a promotion 
is always followed by another rule: a cut-rule, a ( 8 >-rule or a 3-rule. So promotion 
rnles can be erased by the translation. 

The translations (.)* and (.)* are almost inverse of each other, more precisely: 

— If G is a formnla of LC®'', G** = G. 

— If P is a strictly positive formnla of LLPc, 'P** = P and (?P)** = V. 

— If A/” is a strictly negative formula of LLPc, A/”** = A/” and (!A/”)** = A/”. 

— For the sequents: (h P ; iJ)** =\- P; II and (h T)** =\- P. 

— If 7 T is a proof in LC®'', tt** = tt. 

However the converse is wrong for proofs: tt** 7 ^ tt because LLPc is more 
flexible about the position of promotions. In the following example, the first 
LL proof puts weakening in between the promotion and its associated 3-r ule 
whereas the third one, being translated from LC, has glued the promotion with 
the 3-rule. 



h !A, lA^ h !A, lA^ 

h?!A, !?A^ • (_ -^a,A- • \-?B^,?\A,?A^ 

hW^,V.A,l?A^ \-^B,^A, A; h ?B^,?lA,l?A-^ 

h ?B^,?’A,3x!?A^ h ~^B,A;3x^A h ?B^,?!A,3x’?A^ 
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4 Proof-Nets 

Proof-nets have been introduced in [3] for the multiplicative case and then ex- 
tended in [5] and [7] to full linear logic. 

4.1 Proof-Structure 

The following definitions come from [7] with just some modifications. 

Definition 7 (Weight). Given a set of elementary weights, i.e. boolean vari- 
ables, (denoted by p, q,. . a weight is a produet (conjunetion) of elementary 
weights p and of negations of elementary weights p. 

As a convention, we use 1 for the empty product and 0 for a product where 
p and p appear. We also replace p.p by p. With this convention we say that the 
weight w depends on p when p or p appears in w. 

A proof- structure is an oriented graph with pending edges, for which each 
edge is associated with an LL formula, constructed on the following set of nodes 
respecting the following typing constraints. The orientation is from top to bot- 
tom. 



A 


A B 


A B 


ABA 


B 


A A 












¥ 




A(g)B 


A^B 


A&B A©B 


A©B 


A 




A ' 


(A ?A 


A 


A[*/x] 
















!A ?Ai?A„ 


?A 


?A 


?A VicA 


3xA 




9 


9 








1 




T 


Ai Arx 







To avoid confusion with the other orientation that we will introduce later, 
this orientation will be called the geographic orientation and we will refer to it 
by the terms: top, bottom, above, bellow, to go up, to go down, premise of a node 
(edge just above the node), conclusion of a node (edge just bellow the node),. . . 

A unary node is a node with only one premise and a binary node is a node 
with two premises. The C-nodes must have at least two premises. 

In such a graph: 

— we associate an elementary weight to each &-node called its eigen weight; 

— the variable used in the quantification of a V-node is called its eigen variable; 

— we associate a non empty set of nodes (different from cut) to each T-node 
and ?w-node. These are called the jumps of the node. 

Eigen weights and eigen variables are supposed to be different. 

We associate a weight to each node with the constraint that if two nodes 
have a common edge, they must have the same weight except if the edge is a 
premise of a &-node or of a C-node [additive contraction). In these particular 
cases the weight changes: 
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— if w is the weight of a &-node and p is its eigen weight then w does not 
depend on p and its premise nodes must have weights w.p and w.p; 

— if w is the weight of a C-node and wi, . . . , Wn are the weights of its premise 
nodes then we must have w = wi + . . . + Wn and WiWj = 0, Vi 7 ^ j. 

Then we can define the following notions: 

— A node L with weight w is said to depend on p w depends on p or if L is 
a C-node and one of the weights just above it depends on p. 

— A node L is said to depend on an eigen variable x if a: is free in the formula 
associated to the conclusion of L or if L is a 3j-node and x is free in t. 

A proof-structure must also satisfy the following properties: 

— a conclusion node (i.e. a node with pending edge) has weight 1 ; 

— eigen variables are not free in the formulas associated to pending edges; 

— if w is the weight of a &-node with eigen weight p and w' is a weight de- 
pending on p and appearing in the proof-structure then w' < w; 

— if w is the weight of a V-node with eigen variable x and w' is the weight of 
a node depending on x then w' < w; 

— if w is the weight of a ±-node or of a ?w-node and w' is the weight of one of 
its jumps then w < w' . 

With this definition we have a notion of proof-structures for full linear logic. 
Now to make it clear, let us look at the example of a proof-structure for A®B 
A®B: 



4.2 Sequentialization and Correctness 

An important point in the study of proof-nets is the problem of correctness 
criterions that is the problem to know whether a proof-structure is a proof. 
More technically, can you inductively deconstruct a proof-structure? 

There exist different correctness criterions for multiplicative proof-structures 
like [3] or [2] which lead to the criterion of [7] for the full case. We present here 
this general criterion. 

Definition 8 (Sequentialization of a proof-structure). The relation “L 
sequentializes TZ into £1” is defined for each possible L. TZ is a proof- structure, S 
is a set of proof- structures and L is a conclusion node ofTZ or a cut. 

— ax, !, 1, T; if L is the only node ofTZ then L sequentializes TZ into 0; 



P 
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— cut, (8>. if it is possible to split the graph obtained by erasing L into two 
proof- structures TZi and TZ 2 then L sequentializes TZ into {TZi,TZ 2 }; 

— © 1 , © 2 , ^d, 7c, 7w, V, 3, ±; if when we erase L in TZ, we obtain a 
proof- structure TZq then L sequentializes TZ into {TZq}; 

— &; let p be the eigen weight of L. The graph TZq (resp. TZi) is obtained by 
giving to p the value 0 ( resp. 1 ) and just keeping nodes with non zero weights 
and identifying the unary C-nodes to the node just above. IfTZo (resp. R\) 
is a proof- structure then L sequentializes TZ into {TZq,TZi}; 

— C; a C-node never sequentializes a proof- structure. 

Definition 9 (Sequentializable proof-structure). A proof-structure TZ is 
said to be sequentializable if one of its nodes sequentializes TZ into a set of 
sequentializable proof- structures or into the empty set. 

Definition 10 (Valuation). A valuation p for a proof- structure TZ is a func- 
tion from the set of the eigen weights of TZ into {0, 1}. Such a valuation can 
easily be seen as a function defined on the set of all the weights of TZ. 

Definition 11 (Slice). Given a valuation p of a proof- structure TZ, the slice 
p{TZ) is the proof- structure obtained from TZ by keeping only the nodes with 
weights w such that <p{w) = 1 and the edges bellow a kept node and by identifying 
the unary C-nodes with the upper node. A slice is not really a proof- structure 
according to definition of the Sect, j.l because unary k,-nodes appear. 

Definition 12 (Switch). Given a valuation ip of a proof- structure TZ, a switch 
S of TZ is defined as a non oriented graph constructed with the nodes and the 
edges of ip{TZ) with the modifications: 

— for each or 7 c-node, we keep only one premise; 

— for each k-node L, we erase the premise appearing in ip{TZ) and we add an 
edge, called dependency edge, from a node depending on L to L (this may 
change nothing); 

— for each \f-node L, we erase the premise and we add an edge, called de- 
pendency edge, from a node depending on its eigen variable to L (this may 
change nothing); 

— for each 7w- or T-node L, we add an edge, called jump edge, from a jump 
of L to L. 

Definition 13 (Proof-net). A proof- structure is a proof-net if all its switches 
are acyclic and connected. 

Theorem 1 (Sequentialization — J.-Y. Girard in [7]). A proof- structure is 
sequentializable iff it is a proof-net. 

5 Polarized Proof-Nets 

Now we restrict proof-nets to the polarized case. This strong constraint will allow 
us to define a new and simpler correctness criterion. 
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Definition 14 (Polarized proof-structnre). A polarized proof-structure is 
a proof- structure made only of polarized formulas and with the constraint that 
at most one of the formulas associated to the conclusions of a T -node can be 
positive. 

In other words, a polarized proof-structure is a proof-structure typed by 
LLP. As LLPc is a fragment of LLP, all the following results will give a notion 
of proof-nets for LC through the translations in Sect. 3. 

Definition 15 (Edges). We give here some new terminology on edges in a 
polarized proof- structure: 

— a positive (resp. negative^ edge is an edge with a positive (resp. negative) 
formula; 

— a principal edge in a switch is an edge already appearing in the proof- 
structure; a switching edge is either a dependency edge or a jump edge. 
For switching edges, we extend the polarization and the geographic orienta- 
tion by considerin g them negative and oriented towards the corresponding 

V-, Iw- or F-node. 

In the seqnel, we will distinguish between two C-nodes: the -node with 
positive premises and conclusion and the C~ -node with negative ones. 

Definition 16 (Positive and negative nodes). A positive node is a node 
with positive edges, that is ©, C"*", 3 and 1, and a negative node is a node 

with negative edges, that is^, &, C“, ?c, 7w, V and _L. 

5.1 Towards Specific Criterions 

The key point for the simplification of the correctness criterion in the case of 
polarized proof-nets is the existence of a specific orientation in these proof-nets 
as shown in Lemma 2. The use of this orientation allows us to forget the notion 
of switch and then also the notion of slice. 

The idea of orientation linked to polarization in proof-nets has already been 
used. For example Frangois Lamarche proposed in [8] a criterion for proof-nets 
for intuitionistic linear logic with Danos-Regnier polarities. 

We define a new orientation on proof-structures, the orientation of polariza- 
tion (or p- orientation): positive edges are oriented upwardly and negative edges 
downwardly. We will talk about this orientation using the terms: to arrive to , 
to come from, incident edge, emergent edge,. . . 

Lemma 1 . In a switch of a polarized proof- structure, a node has at most one 
incident edge. Positive and negative nodes have exactly one incident edge. 

Proof. We stndy each node: 

— the only nodes with incident switching edges are &, V, ?w and _L and by the 
definition of a switch these nodes have exactly one incident edge in a switch 
(either a premise or a switching edge); 



222 



Olivier Laurent 



— and ?c-nodes have just one premise in a switch so just one incident edge; 

— positive nodes, ax, cut and ! have only principal edges in a switch and the 
only incident one is their positive conclusion (negative premise for cut); 

— ?d- nodes have only emergent edges; 

— T-nodes with a positive conclusion are like ! and those with only negative 
conclusions have no incident edges; 

— there are no C-nodes in a switch. □ 

Lemma 2 (Orientation lemma). A non bouncing path in a switch of a po- 
larized proof- structure starting accordingly to the p-orientation always respects 
this orientation. 

Proof. We prove the result by induction on the length of the path, the case of 
length 0 being given by the starting hypothesis. Now when the path arrives to 
a new node, this is only possible through the incident edge so when the path 
continues it must be by anot her edge, thus an emergent one (by Lemma 1) since 
it does not bounce. □ 

Lemma 3. A non oriented cycle in a switch of a polarized proof- structure is 
p-oriented. 

Definition 17 (Correction graph). The correction graph of a proof-structure 
TZ is the oriented graph obtained by putting on TZ the p-orientation and by adding 
some new edges: 

— from each node depending on an eigen weight to the corresponding &L-node; 

— from each node depending on an eigen variable to the corresponding \/-node; 

— from the jumps to the nodes they are associated to. 

Lemma 4. If there is a (non oriented) cycle in a switch of a proof- structure 
then there is a p-oriented cycle in its correction graph. 

Definition 18 (Initial and final nodes). In a correction graph, a node is 
initial (resp. finalj if all the edges starting from (resp. arriving to) it are pending 
edges. 

Remark 3. A final node is a conclusion node so its weight is always 1. A ?d-node 
is always initial. 

5.2 Weak Criterion 

We give here our first criterion for polarized proof- nets, which is simpler than 
the general one but equivalent. To obtain this result we still need to use the 
notion of slices. 

Definition 19 (Slice of a correction graph). A slice of a correction graph 
G is the sub-graph of Q made only of the nodes and the edges of a slice of the 
proof- structure (in other terms it is the correction graph of the slice). 
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Theorem 2 (Correctness criterion). A polarized proof- structure has all its 
switches acyclic and connected iff all the slices of its correction graph are acyclic 
(with orientation), contain exactly one initial node and all the nodes of the slice 
are p-accessihle from the initial one (in thi s case we say that the correction 
graph is weakly correct ). 

Proof. By Theorem 1, a proof-structure with all its switches acyclic and con- 
nected is seqnentializable and by an easy induction, a sequentializable polarized 
proof-structure has a weakly correct correction graph. Conversely if the correc- 
tion graph is weakly correct, switches cannot contain any cycle by Lemma 4. 

To finish, we can prove by induction on the sum S of the lengths of all the 
paths from the initial node i of the slice to a fixed node s that in all the switches 
of this slice there is a path between i and s. 

— If = 0 then s = i. 

— IfL' = n-|-l,sis not an initial node in the slice. We choose a switch S, 

there exist a node s' and an edge a from s' to s such that a appears in S (by 
definition of a switch we always keep such an edge). Then by induction hyp 
othesis on s' , there is a path in S between i and s' which can be extended 
with a into a path between i and s. □ 

We can apply to our polarized proof-structures all the results of the general 
case given in [7] about sequentialization, cut-elimination,... 



5.3 Strong Criterion 

Following the same direction we obtain a second and most important criterion 
which allows us to forget also slices. 

Definition 20 (Strong correctness criterion). The correction graph of a 
polarized proof- structure is strongly correct if it is acyclic and if for all pair of 
distinct initial nodes with weights Wi and wf Wi-Wj = 0. 



Theorem 3 (Strong criterion and weak criterion). A strongly correct cor- 
rection graph is weakly correct. 

Proof. No problem for acyclicity because a slice of a correction graph has less 
edges than the correction graph itself. Then by acyclicity of the slices we have 
at least one initial node in each slice. But also at most one because taking a slice 
does not create any initial node (a negative node is never initial and the other 
ones cannot lose the node under their conclusion) so the condition on initial 
nodes of the correction graph is sufficient. 

For accessibility of nodes, we prove by induction on the sum U of the lengths 
of all the paths from an initial node to a fixed node s that s is p-accessible by 
the initial node in each slice where it appears: 



224 



Olivier Laurent 



— if = 0 then s is initial; 

— \i S = n-\-l then in a slice where s appears either it is initial and there is no 

problem or there is another node s' with an edge from s' to s. By induction 
hypothesis s' is accessible from the initial node in every slice where it ap 
pears. Thus in the slice we are looking at, s' is accessible and also s by 
adding the edge to a path arriving to sh □ 

The converse is wrong, some proof-structures are weakly correct but rejected 
by the strong criterion because some cycles may come from the interactions 
between different slices. However we keep enough proof-structures to have proof- 
nets for all proofs of sequent calculus and the strong criterion is preserved by 
cut-elimination. We will see this in the Sects. 5.5 and 5.6. 

5.4 Sequentialization 

We will now give a proof of sequentializability of strongly correct proof-nets 
different from the one consisting in using the proof for the general criterion by 
Theorems 3, 2 and then 1. 

Definition 21 (Positive tree). A positive tree of a correction graph is a non 
empty connected set of positive nodes and positive edges maximal for inclusion. 

A positive tree A is terminal when for each positive edge a of the correetion 
graph if there is a path from A to a then a is in A. 

Theorem 4 (Seqnentialization). A polarized proof-net is sequentializable. 

Proof. The first point is to sequentialize by all negative final nodes. We prove 
that if a ^-, &-, ?c-, ?w-, T- or V-node is final then it sequentializes the proof- 
net. We remark that (8>-, ©i, 3-, C'*'-, C“-, ?d- a nd cut-nodes are never final. 
So we have to sequentialize a proof- net with only ax, !, T and 1-nodes as final 
ones. 

Lemma 5. If the only final nodes of a polarized proof-net are ax, !, T and 1 
then from each non final node there exists a path to a terminal positive tree. 

Definition 22 (Cnt positive tree). A positive tree is said to be cut if it has 
a cut-node hereditary above it. 

Proof (Theorem f - continued). Given a proof- net with only ax, !, T and 1-nodes 
as final ones, by Lemma 5 it contains a terminal positive tree. If there is no nodes 
under this tree, it can be sequentialized. Otherwise this is a cut positive tree and 
we show by termin ality of the tree that the cut-node under it sequentializes the 
proof- net. □ 

Proposition 2. The criterion given by Theorem 4 has a cubic complexity in the 
size of the proof-net (i.e. the number of its nodes). 
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5.5 Translation from Sequent Calculus 

To show that the strong criterion keep enough proof-structures we have to define 
a translation from LLP to polarized proof-structures and to prove the correct- 
ness of the proof-structures built in this way. 

When we talked about sequentialization we used proof-structures with !- 
nodes just seen as generalized axioms but to talk about the translation of proofs 
and about cut-elimination, we need to refine our definition of proof-structure. 

Definition 23 (Proof-structure and proof-net with boxes). We define a 
proof-structure with boxes by induction, it is: 

— either a proof- structure with no \-nodes, 

— or a proof- structure together with a proof- structure with boxes of conclusions 
A, TBi , . . . , 7 Bn associated to each l-node of conclusions I A, 7Bi , . . . , 7 Bn- 

We can define in the same way proof-nets with boxes from proof-nets. 

In the sequel we will use the term proof-structure (resp. proof-net) instead 
of proof-structure (resp. proof-net) with boxes. 

Definition 24 (Translation of proofs). We define the translation from LLP 
to polarized proof- structures by induction on the size of the proof: 

— &; by induction we obtain two polarized proof- structures TZi and TZ 2 from 
the two proofs of the premises of the h-rule. We choose a new elementary 
weight p and multiply all the weights of TZ\ by p and all the weights of 7^2 
by p. Then we add a &z-node (with eigen weight p) between the two pending 
edges corresponding to the formulas used by the & and a C-node for each 
pair of formulas of the context coming from TZ\ and 7^2/ 

— !; the new proof- structure is just a single \-node introducing the conclusions 
lA,7Bi, . . . ,7Bn of the rule and the proof- structure associated to it is the 
one obtained at the previous step with conclusions A,7Bi, . . . , 7 Bn; 

— 7 w: we just add a 7 w-node to the proof- structure TZ of the previous step with 
a set of jumps constituted of all the conclusion nodes ofTZ; 

— ±; same as 7w; 

no problem for the other rules. 



Theorem 5. The previous translation is in fact from LLP to polarized 
proof-nets. 

5.6 Cut Elimination 

Definition 25 (Reduction step). The different cut- elimination steps are the 
following ones: 

— Axiom cut: we erase the ax- and cut-nodes and replace them by an edge, the 
jumps coming from the ax-node are moved to the other node above the cut. 
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— Multiplicative cut: we erase the ^ and the (8>, the cut is duplicated between 
the two pairs of premises. All the jumps are duplicated and moved up. 




— Additive cut: if the ©-node is a ©i-node (resp. ® 2 ~node) we erase in the 
proof- structure all the nodes with null weights when p = 1 (resp. p = Q) and 
the cut moves up as the jumps. 



P P = 1 P 




— Dereliction cut: the box is opened and the cut moves up as the jumps. 

— Contraction cut: the \-node is duplicated and also the cut to be put between 
each premise of the ? c and a box. New ? c-nodes are put between the pairs of 
conclusions of the ! . Jumps from the ! and from the ? c are duplicated. 

— Weakening cut: we just erase the box and put new Iw-nodes above its con- 
clusions. The jumps of these new nodes are the jumps of the cut one. 

— Commutative exponential cut: the box with the cut l-node comes into the 
other one and the other \-node is extended with the conclusions of the first 
one. All the jumps coming from the two l-nodes are put on the second one. 

— Quantifier cut: we erase the two nodes V and 3t, the cut goes up as the jumps. 
In all the proof- structure we make the substitution of x by t. 




— Multiplicative constant cut: we erase the three nodes: 1, _L and cut. The 
jumps starting from them are duplicated and moved to the jumps of T. 

The cases of a cut with a T- or a C-node are still to be studied. A solution 
for the additive contraction is proposed in [7] but is not uniform with the other 
reduction steps. However with the restriction on the steps defined above, we have 
th e same result as in [7] : 

Theorem 6. A proof-net without T -node and without &z-connectives in the for- 
mulas associated to its pending edges, which cannot he reduce by any step de- 
scribed above, is in normal form (i.e. without cut-node). 

This has been already proved by J.-Y. Girard for the multiplicative-additive 
case but we give here a really different proof using the p-orientation. 
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Proof. If the proof-net contains no &-nodes, all the weights are 1 and there are 
no problems. Otherwise let L be a terminal &-node, that is with no paths to 
another &-node. By the hypothesis, there must be a cut-node (hereditary) under 
L. Then this cut-node can be reduced by terminality of L. □ 

Theorem 7 (Cut-elimination). Strong correctness is preserved by the cut- 
elimination procedure. 

Proof. The steps are well defined in a proof-net {x is not free in for the 

quantifier step by acyclicity). Then each step preserves the strong criterion. □ 

Conclusion 

The polarization constraint, coming from LC, gives a system of proof-nets with a 
correctness criterion which is really simpler than the one in the general case [7] . 
Through the translation between LC and LLP, this gives proof- nets for the 
sequen t calculus LC, solving our starting problem. 

The last section of this paper is devoted to cut-elimination where the problem 
of commutative additive contraction appears. A full solution has still to be found. 

Much work is now possible such as an extension of our approach to second 
order quantifiers, the study of a geometry of interaction or of a game seman- 
tics for such proof-nets, the continuation of this work towards the intuitionistic 
polarities as defined in [6],. . . 
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Abstract. Call-by-push- value is a new paradigm that subsumes the 
call-by-name and call-by-value paradigms, in the following sense: both 
operational and denotational semantics for those paradigms can be seen 
as arising, via translations that we will provide, from similar semantics 
for call-by-observable. 

To explain call-by-observable, we first discuss general operational ideas, 
especially the distinction between values and computations, using the 
principle that “a value is, a computation does”. Using an example pro- 
gram, we see that the lambda-calculus primitives can be understood as 
push/pop commands for an operand-stack. 

We provide operational and denotational semantics for a range of com- 
putational effects and show their agreement. We hence obtain semantics 
for call-by-name and call-by-value, of which some are familiar, some are 
new and some were known but previously appeared mysterious. 



1 Introduction 

1.1 A Single Paradigm 

In a recent invited lecture [Rey98], Reynolds, surveying over 30 years of pro- 
gramming language development, called for a common framework for typed call- 
by-name (CBN) and typed call- by- value (CBV). We consider this an important 
problem, as the existence of two separate paradigms is troubling: 

— it makes each language appear arbitrary (whereas a unified language might 
be more canonical); 

— on a more practical level, each time we create a new style of semantics, 
e.g. Scott semantics, operational semantics, game semantics, continuation 
semantics etc., we always need to do it twice — once for each paradigm. 

We propose call- by-push- value (CBPV), a new typed paradigm based on Filin- 
ski’s variant of Moggi’s computational A-calculus [Fil96,Mog91], as a solution to 
this problem. We will introduce a CBPV language, and give translations from 
CBN and CBV languages into it. We claim that, via these translations, CBPV 
“subsumes” CBN and CBV. 
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But what does it mean for one language to subsume another? After all, 
there are sound, adequate translations from CBN and CBV langnages into each 
other [Plo76,HD97] and into other languages such as linear A-calculus, Moggi’s 
calculus [BW96,Mog91] and others [Mar98,MC88,JLST98,SJ98]. So we must ex- 
plain in what sense our translations into CBPV go beyond these “classic” trans- 
forms, and why, conseqnently, CBPV is a solution to Reynolds’ problem. 

We therefore introduce the following informal criterion. A translation a from 
language V into language L is subsumptive if every “naturally arising” denota- 
tional semantics, operational semantics or equation for L' arises, via a, from a 
“similar” denotational semantics, operational semantics or equation for L. 

The importance of such a translation is that the semanticist need no longer 
attend to L' , because its primitives can be seen as no more than syntactic sugar 
for complex constructs of L. We shall see in Sect. 1.2 that the classic translations 
mentioned above are not subsumptive. 

The essence of Reynolds’ problem can now be expressed as follows: 

Give subsumptive translations from CBN and CBV langnages into a 
single language. 

The key features of CBPV that enable it to solve this problem are that 

1. it divides Moggi’s type constructor T into two type constructors U and F, 
that give types of thunks and of producers respectively; 

2. it distinguishes between values and computations; 

3. writing V'M for “M applied to V” , the A-calculus primitives can be under- 
stood as commands for an operand- stack: 

— V‘ can be read as “push V” ; 

— Ax can be read as “pop x” . 

(1) is reminiscent of the division of a monad into an adjunction. However, while 
an adjunction (with extra structnre) gives rise to a model for CBPV, different 
(non-eqnivalent) adjunctions can give rise to the same model, because not all of 
the adjunctional strnctnre is used. This is explained in [Lev98]. 

Feature (2) is shared with CBV, and feature (3) with CBN. (Indeed the 
push/pop reading is widely used in implementation of lazy langnages [Jon92].) 

That our translations into CBPV are subsumptive is too informal a claim to 
prove, but we have a diverse collection of examples to corroborate it: 

— We can give operational semantics for CBPV in big-step, small-step or ma- 
chine form, and recover standard operational semantics for CBV and CBN. 
These can be formulated to include various computational effects. 

— We can give Scott semantics for CBPV, and recover those for CBN [Plo77] 
and for CBV [Plo85]. 

— We can give state-passing semantics for CBPV, and recover the mysterious 
CBN semantics of O’Hearn [0’H93], and a straightforward CBV semantics. 

— We can give continuation semantics for CBPV, and recover the CBV seman- 
tics of [Plo76] and the CBN semantics of [SR96] (NB not that of [Plo76] 
which is not quite CBN, as it does not validate the ry-law). 
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— We can give game semantics for CBPV, and recover the CBN game semantics 
of [H094] and the CBV game semantics of [AM98] . 

— We can give an eqnational theory for CBPV. The equations that this gives 
us for CBN include the (3- and ry-laws for functions, which generally fail in 
CBV. The equations that we obtain for CBV include for example 

r, X : bool h M = if X then M[true/x] else M[f alse/x] (1) 

which generally fails in CBN. (1) is in fact a special case of the Ty-law for 
sum types. 

— We can give a (rather messy) categorical semantics for CBPV. From a 
CBPV-structure we can construct for CBN a cartesian closed category, and 
for CBV a premonoidal category in the sense of [PR97] . 

— If we add sum types to both CBN and CBV languages, our translations 
into CBPV can be extended to include them. While both operational and 
denotational semantics for sum types differ between CBN and CBV, all the 
differences are recovered from their translation into CBPV. 

After discussing related work, we give an operational account of the principles 
of CBPV. We add divergence and recursion to the basic language, and provide 
Scott semantics, which helps to motivate our translations from CBN and CBV 
into CBPV. Finally, we provide operational and denotational semantics for a 
range of computational effects. 

Acknowledgements I am grateful to M. Fiore, M. Marz, E. Moggi, P. O’Hearn, 
S. Peyton Jones, J. Power, U. Reddy, J. Reynolds, E. Robinson, H. Thielecke, 
referees and others for their helpful comments on this and related material. 



1.2 Related Work 

We briefly give some ways in which other proposed translations from CBN and 
CBV, even those on which ours are based, are not subsumptive. Of course, the 
objectives that they were designed to achieve are different. 

We first look at cases in which semantics for the source language does not, 
so far as we can see, extend along the translation. 

— It is not evident how to provide operational semantics for the monadic tar- 
get languages of [BW96,Fil96,Mog91] so as to recover standard operational 
semantics for the source languages. 

— The monad language of [BW96,Mog91] does not provide semantics for CBN, 
because the translation from CBN into it — like the thunking transform from 
CBN to CBV [HD97,SJ98] — does not preserve the Ty-law for functions. 

— As remarked in [BW96], the linear language used there assumes “commu- 
tativity” of effects, so that continuation models, for example, do not arise 
from it; likewise for the language of [Mar98,MC88]. 

— The CPS transforms of [SR96,Plo76] do not, of course, preserve Scott se- 
mantics. 
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More subtly, there are cases where a semantics for the source language does 
extend to one for the target, but not (as subsumptiveness requires) to a “similar” 
one — the semantics of type becomes more complicated. 

— To decompose the CBV predomain^ model of [Plo85] using A ->-cbv B = 
A TB [BW96,Mog91], we must drop the countable-base condition on 
predomains, because the total function space operation does not preserve it. 
For example, N ^ N is a flat, uncountable “predomain”. 

— The CBN game model of [H094] can exhibit a linear decomposition A ^-cbn 
B =IA -o B [BW96,Gir87], but types must then denote games rather 
than arenas. (Some further problems with this linear approach are discussed 
in [McC96], and it is abandoned for technical reasons in [AHM98].) 

2 Call-by-push-value 

We introduce CBPV in this section using an operational account, because (as for 
CBN and CBV) the operational ideas remain essentially constant across different 
effects, whereas the range of models is wide. 



2.1 Operational Principles and Types 

In CBPV we distinguish between computations and values. Intuitively speaking, 
a computation does, while a value is. CBPV has two disjoint classes of types: a 
computation has a computation type, while a value has a value type. For clarity 
we underline computation types. 

The two classes of types are given by 

^ UB I | 1 | A x A 

B::= FA \ Uiei \ A^B 

where each set I of tags is countable (so the language is infinitary). 

We explain the types as follows; notice how this explanation maintains the 
does/is principle. Throughout execution, there is an operand- stack of values and 
tags that is pushed onto and popped from. 

— A value of type t/B is a thunk of a computation of type B. 

— A value of type is a pair {i, V), where i G / and V is a value of type 

A,. 

— A value of type A x A' is a pair (V, V'), where V is a value of type A and 
V' is a value of type A'. 

— A value of type 1 is the 0-tuple (). We largely omit further mention of this 
type, as it is entirely analogous to x . 

^ A predomain {X, ) is a countably based, algebraic directed-complete poset, with 

joins of all nonempty bounded subsets, in which the down-set {y £ X -. y a;} of 
each X £ X has a least element. (The last condition is adapted from [AM98]). A 
domain {X, , _L) is a predomain with a least element T. 
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— A computation of type FA produces a value of type A. 

— A computation of type pops a tag i G I from the operand-stack, and 

then behaves as a computation of type Sj. 

— A computation of type A ^ ^ pops a value of type A from the operand- 
stack, and then behaves as a computation of type 

A computation can perform other effects besides popping and producing. For 
example, a computation M of type A FA' might output, then pop a valne 
of type A, then push a value of type C, then input, then pop a value of type C 
and finally prodnce a valne of type A' . Or it might crash, diverge, make some 
choices, jump out etc. But it cannot perform any further effects after producing, 
for then another computation begins, using the value that M produced. 

Values alone can be stored, input, output, pushed, popped or chosen. Iden- 
tifiers can be bound to (or replaced by) values alone, and therefore they always 
have value type. A computation is too “active” for this, althongh a thunk of a 
computation M is a value, so it can be stored etc. Later the thunk can be forced, 
and M then happens. Of course, a single thunk can be forced several times. 

We call a value type of the form ^ groundtype and write n or even 

just n for (n, ()). In particular, we write bool and nat for the groundtypes 
Sie{true, false}! and X)ieN! respectively. A computation of type is called 

a ground produeer because it produces a ground value. 

Moggi’s type TA [Mog91] becomes in our type system UFA, because a value 
of type FA is a thunk of a computation that prodnces a value of type A. 



2.2 The basic language 

Definition 1. A context F is a finite seguence of identifiers with value types 
xq : Ao, . . . , Xm-i '■ Am-i- Sometimes we omit the identifiers and write F as a 
list of value types. 

The calculus has two kinds of judgement 

F M : B F h'' V : A 

for computations and values respectively. The terms are defined by Fig. 1. We 
include let, although it could be regarded as sugar. Note that J([ is a projection 
product, whereas x is a pattern-match product. The key computations are 

— produce V , the trivial producer of V; 

— M to X in M' , the sequenced computation (called “generalized let” by 
Filinski [Fil96]) where firstly the producer M happens, and if it produces a 
value V then M' happens with x bound to V . 

Imperatively, V‘ means “push V” and Ax means “pop x”; and there are 
similar interpretations for Wig and (•••). This reading is illustrated in Sect. 2.3. 
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r, X : A, r' h'' X : A 
r b" V : A 
r produce V F A 
Fh^ M -.B 
F b'' thunk M : UB 
FrV: Ai„ 

F'r'' V -.A r b" V' : A' 
F b" (V, V') : A X A' 

■ ■ ■ r b" Mi : B, • • • 

rb^ 

F,x-. Ah^ M ■. B 
F b^ AxM : A B 



F'r'' V -.A r, X : A b^ M : B 
B b"^ let X be V in M : B 
Fh^ M -.FA B, X : A b^ V : B 



B b'^ pm V as (x, y) in M : B 
^ M 

Bb^ 7r,„M:a„ 
Bb''V:A Fh^ M -.A -^B 
F b^ V‘M : B 



B b^ M to X in V : B 
B b'' V : BB 
B b"^ force V : B 

^ ^ • • • F,x-.Aih’^Mi-.B ■ 

B b"^ pm V as . . . ,{i, x) in Mi, . . . : B 
B r V : A X A' B, X : A, y : A' b^ M : B 



pm is an abbreviation for pattern — match. 



M[V/x] B 
let X be V in M JJ. T 
M ^ produce V V[V/x] B 
produce V ^ produce V M to x in V JJ. B 

M J| B 

force thunk M Jj. B 

M„[V/x]^B 

pm (io, V) as . . . , (i, x) in Mi, . . . Jj. B 
M[V/x, V7y] ^ B 
pm (V, V') as (x, y) in M ^ B 
M J|(...,Vi,...) Vi„J|B 
nigM JJ. B 

M J| AxV N[V/x] B 
V‘M J|B 



(...,M,...)^(...,Mi,...) 



AxM J| AxM 



Fig. 1. Terms of Basic Language, and Big-Step Semantics 
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Remark 1. The reader may wonder why we have not included complex values 
such as X : A X h'' pm X as (y, z) in y : A or arithmetic expressions. The reason 
is that they somewhat complicate the operational semantics, our presentation of 
which exploits the fact that values do not need to be evaluated. Consequently, 
and since they lie outside the range of our translations from CBN and CBV, 
we omit them, except in the example program of Sect. 2.3. Nonetheless, all our 
denotational and categorical models can interpret them straightforwardly. 



2.3 Example Computation 

The following example M illustrates the naive imperative reading of CBPV. To 
this end, we add to the language arithmetic expressions as values (Remark 1) 
and the facility to prefix a print command to any computation. 

print "helloO"; 
let X be 3 in 
let y be thunk ( 

print "hellol"; 

Az 

print "we just popped "z; 
produce x + z 
) in 

print "hello2"; 

(print "hello3"; 

r 

print "we just pushed 7"; 
force y 
) to w in 

print "w is bound to "w; 
produce w + 5 

Note that if the word thunk were omitted, M would be ill-typed, because y 
can identify only a value, not a computation. The type of y is (7(nat — >■ Enat), 
because y identifies a thunk of a computation that pops a natural number and 
then produces a natural number. 

M outputs as follows 

helloO 

hello2 

hello3 

we just pushed 7 
hellol 

we just popped 7 
w is bound to 10 



and finally produces the value 15. 



Call-by-Push- Value: A Subsuming Paradigm 235 



It is clear that if the lines print "hellol" and Az were exchanged, or if 
the lines print "hello3" and 7‘ were exchanged, the behaviour of M would be 
unchanged. We say that “effects commute with A and with ‘ . A more familiar 
example of this phenomenon is the equivalence of Ax diverge and diverge. (We 
are assuming here that, as in our example, the global computation is a producer, 
so there is no danger that we will try to pop from an empty stack.) 



2.4 Big-Step Operational Semantics 

Terminal computations (a subset of closed computations) are given by 

T ::= produced | (. ..,Mj,...) | AxM (3) 

Intuitively these are computations that cannot proceed if the operand-stack is 
empty. We write Cb for the set of closed computations of type B, for the 
set of terminal elements of Cb, and for the set of closed values of type A. 

For the basic language, we define in Fig. 1 a relation JJ. from Cb to Tb. It can 
be proved to be a total function. Note that only computations happen; values 
do not need to be evaluated. 



2.5 Equations and Observational Equivalence 

We form an equational theory whose axioms are all substitution instances of the 
equations in Fig. 2. Compare this theory to those of CBN and CBV. 

— In CBV, equations such as ry for -|- types hold because an identifier can be 
bound only to a value. 

— In CBN, equations such as rj for types hold because a term of type can 
be evaluated only by applying it. 

Since CBPV has both of these features, it has both kinds of equation, which is 
essentially why it can subsume both paradigms. 

Definition 2. A ground context C[] is a closed ground producer with zero or 
more occurrences of a hole which can be either a computation or a value. 



Definition 3. We say that M ~ M' when for all ground contexts C\\, C[M] IJ, 
produce n iff C[M'\ IJ- produce n. 

In all of our CBPV languages (e.g. in Sect. 5.1) the equations of the theory 
hold as observational equivalences (for the appropriate variation on Def. 3). As 
usual, this will follow from the soundness and adequacy of our models. 

It is worth noticing that, with our imperative understanding of V'' and Ax, 
the /3-law for ^ equates “push V, then pop x, then M” with M[V/x]. Similarly, 
the ? 7 -law for equates M (in which x is not free) with “pop x, then push x, 
then M” . These are both intuitively compelling. 
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r let X be F in M 


= M[V/x] 




B 






r (produce V) to x in Af 


= M[V/x] 




B 






r force thunk M 


= M 




B 






r b^ pm (io, F) as . . . , (i, x) in Mi,. . 


= M„[F/x] 




B 






r b"^ pm {V, V') as (x, y) in M 


= AT[F/x, F'/y] 


B 






FK m,{...,Mi,...) 


= M,g 




&g 






r K F‘AxM 


= M\V/x] 




B 




r 


M — M to X in produce x 




FA 




(xgF) 


r 


b'' F = thunk force F 




UB 






r,z 


: ZJigjAi K M = pm z as . . . ,{i,x) in M\{i, x)/z], . . . 


B 




(x0F) 


F,z 


\ A X. A' b"^ M = pm z as (x, y) in M[{x, y)/z] 


B 


( 


0F) 


r 


II 




Yli£lB.i 




r 


X 

II 

J_ 




A 


B 


(x0F) 


r h" 


{M to X in M') to y in M” = Af to x in 


[M' to y in 


M") 


: B 


(x.y^F) 


r h" 


nig{M to X in M') = M to 


X in nigM 






(x0F) 


r h" 


F‘(Af to X in M') = M to 


X in F‘M' 




■B 


(x0F) 



Fig. 2. /3-laws, ry-laws and other laws 



3 Divergence, Recursion and Scott Semantics 

As divergence is the compntational effect most familiar to semanticists, we study 
it first. We add to the basic language the computations 

r,x:UBh‘^ M : B 

r diverge : B F jixM : F 

and the big-step rules 

diverge IJ, T M[thunk fixM/x] JJ. T 

diverge JJ. T fixM JJ. T 

so that JJ. is now a partial function from Cb to T^- The recursion binder /rx can 
be read imperatively as “bind-to-a-thunk-of-the-present-computation x” , and 
therefore /rxM is a computation. 

The Scott semantics for CBPV interprets value types (and hence contexts) 
as predomains and computation types as domains. For example, 

— |FA] is the lift of |AJ; 

— if 1,^ is the domain (X, ±) then is its underlying predomain {X, ^); 

— |A ^ ^ is the domain of continuous functions from |A]] to 

Then to each computation B \-^ M : F we associate a continuous function 
|M] : |F] ^ 1 ^, and to each value F V-'' V : A we associate a continuous 
function |F] : |F] |AJ. For example, where p € |F]j, 



[produce V\p = lift (|F]/o) 



Call-by-Push- Value: A Subsuming Paradigm 237 



IM to X in Njp = I ^ ^ if ^Mjp = lift 

|thunk MJp = |M]p 
[force Vjp= IVjp 

In particular, [thunk diverge]/? is the least element of the predomain [17,3 . 
Proposition 1 (Soundness/ Adequacy). For any closed computation M, 

1. ifMi^T, then [M| = [T|; 

2. if |M| > _L, then M (I T for some T. 

4 Translating CBN and CBV into CBPV 

As we would expect from the Scott semantics of Sect. 3, CBN types translate 
into computation types, while CBV types translate into value types. The most 
important type decomposition into CBPV is 

B -^CBN g = {UB) ^ g (4) 

This corresponds to the fact that in CBN a function is effectively applied to a 
thunk. Perhaps it is because the interpretation of U and of thunk is almost 
invisible in CBPV Scott semantics that this decomposition has remained hidden 
for so long. 

Another important type decomposition into CBPV is 

A ^cBv A' = U{A FA') (5) 

This is similar, and in a sense equivalent, to Moggi’s decomposition [Mog91] 
as A ^ TB, but notice that (5) avoids the countability problem mentioned in 
Sect. 1.1. It says that a CBV function from A to A! is a thunk of a computation 
that pops a value of type A and then produces a value of type A . 

The translations into CBPV are given in Fig. 3 and Fig. 4. The source lan- 
guages of these translations are prototypical CBN and CBV languages like PCF 
and PCFv, with sum types. They are equipped with Scott semantics [— ]cbn and 
[— IcBV (together with a semantics [— Icbv CBV values) and big-step seman- 

tics JJ-cBN and fJ-cBV. We omit presenting them in detail. For simplicity, we have 
supplied a projection product for CBN but a pattern-match product for CBV; 
although in principle one could have both kinds of product in each paradigm. 

Some of the technical results for the CBN translation concern not the function 
— " (which does not commute with substitution) but a relation from CBN to 
CBPV terms. Informally, M M' means that M' is M" with possibly some 
extra force thunk prefixes. The direct inductive definition of is comprised 
of one rule for each CBN term-constructor, e.g. 

N N' M M' 



X force X 



A‘M (thunk N'fM' 
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c 


C" 


(a computation type) 


bool 




{true, false} ^ 


A^B 




UA'' 


Ax B 




A" nB" 


A + B 




F{UA'' + UB’') 



To, . . . , Am-\ ^ M \ C 


UAo’',...,UAm-i’' h" M" : C" 


X 


force X 


false 


produce false 


if M then N else N' 


M" to z in pm z as true in N" , false in N'" 


\xM 


\xM" 


N^M 


(thunk N^YM" 


(M, M') 


(MYM"') 


nM 


ttM" 


ini M 


produce ini thunk M" 


pm M as ini x in N, inr x in N' 


iff to z in pm z as ini x in N’' , inr x in N'" 


fixM 


fixM" 



Fig. 3. Translation of CBN types and terms 



c 


C'’ (a value type) 


bool 


^-/6€{true, false} ^ 


A^B 


U{A'' ^ FB'') 


AxB 


T" X B-' 


A + B 


A'' + B-' 



To,...,T^-iPT:C 


AoY...,Am-i'' r F""' : cr 


X 


X 


false 


false 


\xM 


thunk XxM'' 


fiyXxM 


thunk fiyXxM'' 


{V,V) 




ini V 


ini F""' 



To, ... , Am-i h M C 


To^...,T^_l''K M'' ■.FC'' 


V (a value) 


produce F''^' 


if M then N else N' 


M'‘ to z in pm z as true in N" , false in N'" 


MN {M first) 


M'' to f in N'' to X in x‘(force f) 


pm M as (x, y) in N 


M'' to z in pm z as (x, y) in N''' 


pm M as ini x in N, inr x in N' 


M'“ to z in pm z as ini x in N'', inr y in N''' 



Fig. 4. Translation of CBV types, values and terms 
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and the additional rule 



M M' 

M force thunk M' 



Proposition 2. 1. (M[V/x])'' = 

2. IfM^” M' and N N' then M[iV/x] M'[thunk iV'/x] 



We are now in a position to describe the fundamental subsumption properties: 
that the Scott and big-step semantics of CBN and CBV can be recovered from 
those of CBPV. 

The preservation of the Scott semantics is straightforward: 



Proposition 3. 1. If A is a CBN type then |A]cbim = 1^1 

2. If r \- M : A is a CBN term and M M' then |M]cbn = [-^1 

3. If A is a CBV type then |A]cbv = l^'^l 

4. IfBhV-.Aisa CBV value then 

5. If r \- M : A is a CBV term then |M]cbv = [-^'^1 

That the equations of CBN/CBV are preserved follows from Prop. 2. 



Proposition 4. Suppose M is a closed CBN term, and M M' . 

1. If M' is terminal then M is, and M is terminal iff M” is. 

2. If M I^CBN T then, for some T' , T T and M' if T'. 

3. If M" T', then, for some T, T T' and M JJ-cbn T. 



Proposition 5. Suppose M is a closed CBV term. 

1. M is terminal iff M'' is terminal. 

2. If M U-cBV T then M'' ifT . 

3. If M'' JJ. T, then, for some T, T' = T, and M J|cbv T. 

Parts (2) and (3) of these are proved by induction, primarily on the big-step 
derivation, and secondarily on (for Prop. 4) or M (for Prop. 5). 



5 Operational Semantics for Computational Effects 

It is straightforward to adapt the big-step semantics of Sect. 2.4 to various com- 
putational effects (except for control effects, which require machine semantics, 
where the search for a redex is made explicit). We give two examples: global 
store and nondeterminism. 



5.1 Global Gronndtype Store 

We will consider a single global storage cell X that stores a value of gronndtype 
We add to the basic langugage the computations 

T r V : Esefil r M : B 



r deref X : fEsefil 



r \-^ X :=V;M : B 
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While it is possible to give type FI to commands such as assignment and output, 
here we regard them as prefixes. 

We define a relation IJ- from S x Cb to S x Tb, adapting the rules of Sect. 2.4 
and adding rules for the new constructs. For example: 

s,Mi}.s',XxN s',N[V/x]i}. s",T 



s,T \fs,T 


s,V‘Mifs",T 




s',Mifs",T 


s, deref X JJ. s, produce s 


s,X:= sf;M if s",T 



JJ. can be proved to be a total function. 

Finally, we say that M ~ M' when for all ground contexts C[] and s, s' € S, 
s, C[M] JJ. s' , produce n iff s, C[M'] Jj. s' , produce n. 



5.2 Nondeterminism 

We add to the basic language the divergence and recursion facilities of Sect. 3 
together with the following term and big-step rule: 

r,x-. M ■. B M[V/x] JJ. T 

r choose X M : F choose x M JJ- F 

6 Denotational Semantics for Computational Effects 

We describe denotational semantics for the effects of Sect. 5. Part is easy: a value 
type (or a context) should denote a set, with x and ^ interpreted in the usual 
way, and a value F h'' F : A should denote a function |E] : |F] — )• |AJ. 

The remainder of the semantics differs between the effects. While logically we 
should present the various semantics first, and then state the soundness results, 
this makes the interpretation of type constructors appear ad hoc. So we will 
proceed in reverse order. For global store and nondeterminism, we will state 
first the soundness and adequacy theorems that we are aiming to achieve, even 
though they are not yet meaningful, and use this to motivate the semantics. 
We will also give continuation semantics for the basic language. (Using machine 
semantics, this can be similarly motivated.) 

Proposition 6 (Soundness/ Adequacy). Let M be a closed computation. 

1. For global store, if s,M JJ. s', T then |M]s = |T]s'. 

2. For nondeterminism, |M] = 

By looking at Prop. 6, we can guess the interpretation of a computation 
F M : F. (Recall that if F = FA then this judgement corresponds to a CBV 
term of type A, so its interpretation is familiar.) 
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— For global store, [M] will be a function from S x |/’]] to where is a 
set. If = FA then = S x |A], so that |M] is a function from S x [F] 
to S' X [A]. 

— For nondeterminism, [M] will be a relation from [F'] to , where is a 
set. If F = FA, then = |A], so that |M] is a relation from |F]] to |A]. 

— For continuation semantics, |M] will be a function from |F] x to Ans 
(a fixed set that we regard as the set of “answers”), where is a set. If 
F = FA, then = |A] Ans, so that [[M] is a function from |F] x (|A]] ^ 
Ans) to Ans. 

We next turn our attention to the interpretation of U, Hie/ and For U, 
we know that values F correspond to computations F F. Thus, in the 

case of global store, functions from |F] to \U^ must correspond to functions 
from S X |F] to Therefore we set = S ^ Similarly we can 

determine the interpretation of U for each effect. As expected, it follows in each 
case that UFA denotes the same set as Moggi’s type TA [Mog91]: 



effect 


U 


F 


T = UF 


global store 


S 


Sx- 


S^{S X-) 


nondeterminism 


V 


- 


V 


control 


>■ Ans 


)• Ans 


( > Ans) — > Ans 



For A F, we know that computations F A F correspond to com- 
putations F, A F. Thus, in the case of nondeterminism, relations from |F] to 
|A must correspond to relations from |F] x |A]j to . Therefore we set 

|A to be |A] X 1,^ . Similar reasoning suggests interpretations for both 

and Hie/ for each of our effects: 



effect 


riiF/ 




global store 


riiej 




nondeterminism 




X 


control 




X 



We omit the straightforward semantics of terms. 

Proposition 7. These five denotational semantics for CBPV all validate the 
equations of Sect. 2. 5. More precisely, if M = M' is provable in the equational 
theory then |M] = |M'J. 

Prop. 6 is now meaningful and can be proved. In particular, (I) is trivial. 
All these models induce models for CBN and CBV. For CBV we recover the 
familiar continuation semantics of A ^cbv A' as (A x (A' — > Ans)) — > Ans. For 
CBN we recover the continuation semantics of [SR96], and also, from our CBPV 
global store semantics, the state-passing semantics of [0’H93]. 
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Abstract. Abramsky’s Linear Chemical Abstract Machine (lcham) is a 
term calculus which corresponds to Linear Logic, via the Curry-Howard 
isomorphism. We introduce a translation from a linear A-calculus into 
LCHAM. The translation result can be well regarded as a black box with 
the i/o ports being atomic. We show that one step computation of LCHAM 
is equivalent to that of the linear A-calculus. Then, we prove the principal 
typing theorem oi LCHAM, which implies the decidability of type checking. 

1 Introduction 

There are attempts to regard concurrent computations as chemical reactions. 
Chemical Abstract Machine (cham) [5] is a model of concurrent computation 
in this line. Cham influenced on various concurrent calculi such as 7r-calculus, 
ambient calculus [6] and join calculus [8]. 

The points of CHAM is the following: 

— once a multiset of objects is applied by a rewriting rule, then the multiset will 
be consumed and will be transformed to a multiset of objects (in chemistry, 
a solution of molecules will changes according to chemical reaction laws). In 
fact, CHAM is resource-sensitive, like Linear Logic (ll). 

— a multiset of objects is again an object (in chemistry, a solution encapsulated 
by a membrane often acts like a molecule). Inside the multiset, computations 
go through independently. This mechanism may enable us to describe com- 
putations inside a sub-network and/or dynamic structuring of networks. The 
‘membrane’ plays an important role in mobile calculi such as ambient cal- 
culus and join calculus. Cham’s encapsulation mechanism of computation 
reminds us of the boxing operation of proof net (Girard [9]). 

So, we are concerned with Linear Chemical Abstract Machine (Abramsky [1]), 
which corresponds to ll through Curry-Howard isomorphism. Linear Chemical 
Abstract Machine (lcham) consists of not only rewriting rules but also typing 
rules. 

To investigate computational properties of lcham, we introduce a translation 
from a linear A-calculus into LCHAM. A linear A-calculus is a resource-sensitive 
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refinement of A-calculus. It is employed for analyzing fnnctional programming 
langnages with respect to evaluation strategy [12], [4] and/or resource alloca- 
tion [7] . We are concerned with a linear A-calculus which is introduced by Bier- 
man [3], and we translate the terms into proof nets. Then we prove that one step 
reduction in the linear A-calculus corresponds to one step reduction in lcham 
modulo a bisimulation. 

To investigate type-theoretic properties of ll, we prove the principal typing 
theorem of lcham. The principal typing theorem is an indispensable theorem 
for implementing a functional language that has a polymorphic type-inference 
system, such as a programming language ML. 

Related Work There are various versions of linear A-calculi. Abramsky intro- 
duced a call-by- value linear A-calculus [1], Chirimar-Gunter-Riecke introduced a 
linear A-calculi with a fix point operator for non-linear function [7] . 

The linear A-calculus of this paper was introduced in Bierman et al [3] . Their 
calculus does not suffer from the coherence problem. Furthermore it has a stable 
notion of commuting conversions. The commuting-convertible linear A-terms is 
translated by our translation into the same proof net. Under the presence of the 
fix point operator, we don’t know how to define the commuting conversion, and 
how the commuting conversion is related to the structure of proof net. 

We introduce a translation from the linear A-calculus into proof nets, and the 
translation satisfies the following property: The resulting proof nets can be well 
regarded as a black box with the i/o ports being ‘atomic’. So, such black boxes 
can be easily connected through their ports. It is not the case in most translation 
of their multiplicative A-calculus into proof nets (Bellin-Scott [2], Mackie [10], 
etc.) 

Mackie [11] proved the principal typing theorem of Abramsky’s linear A- 
calculus. We prove the same theorem for lcham in this paper. In proving the 
principal typing theorems, the reconstruction algorithm of a derivation of a given 
typing assertion is essential. In the case of linear A-calculus, the reconstruction 
algorithm will be deterministic. The type assertions are two-sided sequents F h 
t : A, and we can only decompose t on their antecedents in reconstructing the 
derivations. 

However, in the case of lcham, the reconstruction algorithm will be non- 
deterministic. Because the type assertions are one-sided sequents like h ti : 
Al, ... ,tn : An, the reconstruction algorithm choose non-deterministically ti to 
decompose. Furthermore, some type-inference rules of lcham is another source 
of non-determinism. So, the existence proof of principal type is not trivial. 

Organization In the next section, we review lcham [1], a rewriting system for 
a proof expression, which is a representation of a proof of ll. In Section 3, we 
review the linear X-calculus (Benton et al [3]). We introduce a translation from 
the linear A-calculus to LCHAM, and show that one step /3-reduction in the linear 
A-calculus ‘roughly’ corresponds to one step reaction rules in lcham. In Section 
4, we prove the principal typing theorem of lcham. To prove this theorem, 
we introduce locally correct assertions, which correspond to proof structures in 
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LL [9], (ordinary type assertions correspond to proof nets of ll). The complete 
proofs in this paper can be found in [13]. 

2 Linear Chemical Abstract Machine 

We begin by reviewing Linear Chemical Abstract Machine (lcham) [1], a rewrit- 
ing system representing the cut-elimination procedure of a proof in ll. 

A proof expression (PEXpj is an object to rewrite in lcham. Proof expressions 
are defined together with terms and coequations as follows. Letters P,Q,... stand 
for PEXPs, t,u, . . . for terms, x,y, z, . . . for names, and x,y,z,... for lists of 
names. Terms are defined as 

t ::= X I * I © I (g) t2 I h ^ ^2 I inl(t) | inr(t) | x{P || Q) | | _ | h @ ^2 | x{P). 

We call a term of the form x{P) or x{P jj Q) a closure and x of x(- • •) binding 
names. Coequations have the form t P u, where t and u are terms. Proof expres- 
sions have the form 0; t, where 0 is a finite sequence of coequations and t is a 
finite sequence of terms. 



2.1 Type inference 



Types, ranged over by A, B,C, . . ., are exactly the formulas of ll. For every 
formula A, its linear negation is denoted by A^. We sometimes write t : P for 
ti : Ai, . . . , tn '■ An where i = t\, . . . ,tn and P = Ai, ... , A„. Different names 
are introduced for each instance of the Axiom, With and OfCourse rules. 



h O', r,u : A,t : B, A 



h 0',r,t 



Exchange 



A, u : B , A “ h ; X : A-^ 

h 0; P, t : A \~ A', A, u : 



: A 



Axiom 



h 0, z: , t P u; r, A 

h 0; F 



One 



h 0; r, t : A 



h ; * : 1 
h S'; A, u : B 



Cut 



Bot 



h 0, ; P, A, t ® u '. A® B 

h 0; t : F, t : A 



Times 



h 0; F, 0 : ± 

h 0; P, t : A, u '. B 



u 



'r 0', P,t'^ w. A'^ B 
r, u : B 



Par 



h ; X : F, x(0; t, t 
h 0; F, t : A 



With 



h 0; F, inl(t) : A 
h 0; F 



B 

Weakening 



Plus-1 



h 0; F, _ : ?A 
h 0; F, t : ?A, M : ?A 
h 0; F, t @ M : ?A 



Contraction 



;u,u) '. Ah B 

h 0; F, t : F 
h 0; F, inr(t) : A © 
h 0',t'.ir,t'. A 
X : IP, x(0; t, t) : !A 
h 0; F, t : A 



h 0; F, n : ?A 



— Plus-2 
B 

OfCourse 

Dereliction 
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Remark 1. Note that we obtain the rules of ll from the type inference rules 
by ignoring PEXPs. We can say that h 0; i : F corresponds to a proof net [9] 
such that 



— the lowest nodes are F, 

— the Cut-links are represented by 0, and 

— the closures are represented by the boxes. 



For example, h x{P || Q) ± inl(y); x : F, y : A represents the following 
proof net. 




y 



' 1 

A 

a"© b' a 



CUT 



2.2 Reductions 

Our discussion is limited to linear pexps, which we define slightly different from 
the ones in Abramsky [1] . In our definition, we consider occurrences of names in 
PEXP only outside closures and not ones in pexps inside closures. We consider 
binding names to be outside the closure. 

Definition 1. A pexp 0\i is linear if and only if 

— Each name occurring in 0;t, does so exactly twice; 

— If a closure x{- ■ •) occurs in 0; t, then none of the other occurrences of x are 
binding names; and 

— Each PEXP inside a closure is linear. 

We say a pexp 0;t is typable if and only if h 0;t : F is derivable for some 
F. We note that every typable pexp is linear. Intuitively, the linearity condi- 
tion of a PEXP means that the pexp can represent a skeleton of some proof 
structure [9]. 

Rewriting rules in lcham are classified into reaction rules and a cleanup rule. 
The reduction relation determined by the reaction rules is written as The 
reduction relation determined by the cleanup rule is written as -^c- The reaction 
rule rewrites only the ‘coequations part’ of a pexp. 

We regard 0 of a pexp 0\i as a multiset of coequations, and identify co- 
equations t ± u and u F t. We write 0 = 0' if 0 and 0' are equal in the sense 
described above. (This corresponds to the “structural rules” in Abramsky [1].) 
Hereafter, we simply identify 0 and O' if 0 = 0'. 

The cleanup rule represents a contraction of a Cut-link involving an 
Axiom-link. 



A Study of Abramsky’s Linear Chemical Abstract Machine 



247 



Cleanup rule. 

0, a: _L u -^c 0; u[t/x] 

where x is outside of closures and not a binding variable. 
Reaction rule. 

Communication t x, x u -^r t u 



Unit * ± 

Pair t © u ± ^ u' t -L t', u ± u' 

Case Leftf a;(0; t, t || u, u) ± inl(u) -^r 0, a; -L t, t ± u 



Case Right a;(0;t, t || u) ± inr(u) 
Read x{0\ i, t) ± 7u -^r 0, x -L i, t ± u 



X -L u, u -L V 



Discard x(P) ± _ —^r xi -L , a;„ _L _ 

Copyt x(P) -L u@ V -^r X ± (x‘ @ x^), x(Py ± u, x{Py ± V 

(t) X Pi denotes a;i A ti, . . . , a;„ A if a; = a;i, . . . , a;„ and t = ti, . . . , 

(t) y denotes a list of new names , a;Jj if a; = a;i, . . . , Xn, and x{Py denotes 

a term where small Vs are attached to all names in x{P). a;’' and x{Py are 
defined in the same way. 



3 Translation Prom Linear -calcnlus to LCHAM 

This section begins with a review of a linear A-calculus which was introduced by 
Benton et al[3]. 

3.1 The Linear -calculus 

We only consider the (— o, ©, !)-fragment of intuitionistic linear logic (ill). 
Types are either a type variable, A\ © A 2 , I A, or a linear implication Ai — o A 2 . 
Pre-linear X-terms, ranged over by t,u, . . ., are defined as: 

t ::= a: I tit2 \ Xx.t | ti © ^2 | let ti be a; © y in t2 

I promote ti, . . . , for xi, . . . , a;„ in u | derelict(t) 

I discard ti in t2 \ copy ti as x, y in ^2- 



248 



Seikoh Mikami and Yohji Akama 



Here, bound occurrence of variables are either (1) occurrences of x in (Ax. . . .), 
(2) occurrences of x or y in (let be x ® y in . . .) or (copy ti as x, y in . . .), 
or (3) occurrences of xi,...,x„ in (promote for xi,...,x„ in . . .). 

An occurrence of a variable is called free if it is not bound. A linear X-term 
is a pre-linear A-term t such that each variable occurring free in t does so 
exactly once. 

Type inference rules. 



r, X : A \- t : B 



X : A \- X : A 

r \- t : A— o B A\- u : A 



A 






r h Xx.t : A —o B r, A \- tu : B 

r\-t: A A\-u: B j r\~t:A^B A, x : A, y : B u : C 
r, A\-t<Siu: A<SiB E, Z\[-lettbex(8)yinu:C 

Aihti'.lAi ••• An^tnA.An Xi : Ai, . . . , x„ : h M : H 



(g)E 



Ai, . . . , An b promote ti 

rh-t:lA 



Dereliction 



tn for xi, . . . , x„ in M : !H 

rht-.lA Ahu:B 



Promotion 



r h derelict(t) : A B, A\- discard t\nu:B 

r \- t :\A A, X : !A, y •.\A\- u \ B 



Weakening 



r, Ah copy t as x,y\n u : B 



Contraction 



P-reduction of the linear A-calculus is defined by the following five rewriting 
rules: {Xx.t)u t[u/x], 



let t (8> u be X (8> y in u v[t/x, u/y] 

derelict (promote t for x in u) u[t/x], 
discard (promote f for x in u) in v discard i in u, and 
copy (promote i for x in u) as y^, y'" in s 
copy t as z*, z^in s [promote z^ for x^ in / y^, promote z’' for x^ in / y’'] 



Here t,u, . . . stand for lists of linear A-terms, x, y, . . . for lists of variables. 
And if X = xi, . . . , Xn and t = ti, . . . ,tn, then 

promote t for x in u = promote ti, . . . , for xi, . . . , x„ in u 
discard x in t = discard xi in • ■ - discard x„ in t 
copy t as X, y in ii = copy ti as xi, yi in • • • copy tn as x„, y„ in u 



3.2 Special Proof Expressions 

We translate linear A-terms into special pexps: 

Definition 2 (Special Proof Expressions). We call a pexp 0;x a special 
proof expression, or a special pexp, if x is a list of distinct names. 
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The coequation part 0 is sufficient to determine the computational content 
of the special pexp 0; x. On the other hand, it is not the case for a usual pexp; 
See the following quotation from Abramsky [1] : 

The “molecules” of the linear CHAM are the coequations. We refer to 
0 in 0; t as the “solution” , and to t as the “main body” . The idea is that 
the computation is done in the solution, with the result recorded in the 
main body. One can think of each coequation either as a single sequential 
process, or as a tightly coupled synchronous parallel composition of two 
processes, proceeding in lockstep. (So coequations could be modelled 
by “membranes” in Berry and Boudol’s terminology; but we shall not 
pursue this idea.) 

We regard the main part ti, . . . ,tn of pexp 0; ti, . . . , as the ports, and we 
let the computation results be recorded not on ti, . . . , but be recorded in the 
coequation parts. Moreover, we allow pexps to connect each other through their 
ports. So, we restrict ti, . . . being variables x. Thus, x can be easily inter- 
preted as a list of port names in concurrent calculi such as CCS [14]. Therefore, a 
clear translation of special pexps into, for example, agents of CCS may be made 
easily. 

Thus, in the translation of A-terms, 0; x, x' is interpreted as having x as 
input ports and x' as an output port as in the following figure. 




3.3 The Translation 



Basic Idea. Linear A-terms represent natural deduction style proofs in ill, while 
PEXPS represent sequent calculus style proofs in ll (more precisely, an equiva- 
lence class of proofs where the equivalence is defined to be “the equality as proof 
nets”). We adapt Gentzen’s translation of natural deduction style proofs into 
sequent calculus style proofs. 

But, we employ a trick to make the translation result a special pexp. For 



example, the (— ol) rule is translated into 



h r^, A^, B 
h r^, B 



Par (In ll, A\ 



A 2 is Ai ^ A 2 -). If we assign terms to them, then- 



X : r, X : A \- t : B 
X : r \- Xx.t : A —o B 



^I 



h 0; * ; 






B 



Par- However, the lower pexp 



is translated into ■ 

x: r^,x^ x' :A^^ B 
0;x,x^ x' in the last figure is not a special pexp, so we let the translation 
result of Xx.t he 0, y' ± x^ x'; x, y' . with y' being a fresh variable. 
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This coincides with introducing Cut-rule: 

0; X : r^, X : A^, x' : B 

I I ! Pg^j. 

^0- x-.r^,x^ x' :A-^^ B h ■, y' : {A^ ^ B)^ , 

h0,y' ±x'^ x'] x: r^, y' ■.A^'^ B 



y' :A^^ B 



Cut 



The Translation Rules. For a linear A-term t, we define its translation result t° 
by induction on the construction of t. In a pexp 0; x, x', we consider 0 to be 
a multiset of coequations, and x,x' as an ordered pair of a multiset of names x 
and a name x' . 

O I / / 

X = X ± X ; x,x 



t° = 0; X, X, x' 



{Xx.t)° = 0, z' ± a; ^ x'; x, z' 



—oI 



t° = 0; x,x' u° = zz; y,y' 



{t ® u)° = 0, zz, z' J- x' ^ y'; x, y, z' 



t° =0-, x,x' u° = zz- y,y' 
{tu)° = 0, S, x' Ay' ® z'\ X, y, z' 

7 



—oE 



t°=0;x,x' u° = zz; y,yi,y 2 ,y' 

(let t be j/i (g) j/2 in u)° = 0 , E, x' lyi^ y 2 \ x, y, y' 






t° = 0i] (i = 1, . . .,n) u° = zz; x,xi, ...,Xn,x' 

Promotion 

(promote ti, . . . , for xi, . . . , Xn in u)° = 

01, 0n, Xi ± y[, Xn -L y'n, 

z' ± xxi • • •x„(S'[z/x,zi/xi, . . ,,z„/x„];z, zi, . . ,,z„,x'); 

x,yx, ...,yn,z' 



t° = 0; X, x' 

TT ; — , „ , — z — 7 Dereliction 

(derelict(t)) = 0, x ~L?y ; x,y 



t° =0; x,x' u° = zz; y,y' 
(discard t in u)° = 0, E, x' ± x, y, y' 
t° = 0;x,x' u° = E; y,yi,y 2 ,y' 



Discard 



(copy t as yi,y 2 in u)° = 0, zz, x' ± yi @t/2; x,y,y‘ 



— 7 Copy 



3.4 The Computational Properties 

The set of all the special pexps is not closed under the cleanup rule, Fortunately, 
the cleanup rule is not so important when considering its computational meaning. 
Instead of the cleanup rule, we define several concepts about special pexps. In 
the rest of this section, we consider only linear special pexps. 

Definition 3. On the set of all the linear special pexps, we define = to be the 
smallest equivalence relation satisfying: 

(1) P[z/x]=P, for a fresh name z. (2) 0,y E z; x, x' = 0[y/ z]; x, x' . 

(3) 0, X E _; X, X, x' = 0; X, x' . (4) 0,x E (-);x,x,x' = 0;x,x'. 
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Clause (2) is sufficient to handle a cleanup rule; 

by{2) by{l) 

0,y' ± x'-,x,y' = &[y' /x'];x,y' = 0-,x,x' . Clauses (3) and (4) are 

required because free variables often disappear via /3-reduction in A-calculus. (In 
fact, clause (4) is not needed here, but if we accept clause (3), it is unnatural 
not to accept clause (4).) 

Hpf 

Definition 4. Define P Q P Q- Here -)-*q is a reflexive 

and transitive closure of -^ro- The — >ro determined by the communication 

rule, and — by the other reaction rules. 

Proposition 1. The translation result of any linear X-term is normal with re- 
spect to -^ri ■ 

Proposition 2. = is a bisimulation with respect to =^r, that is, if P = Q and 
P P' , then some Q' satisfies P' = Q' and Q Q' . 

Proof. In view of the linearity of P and Q, it is easily shown that = is a bisimu- 
lation with respect to from which the proposition follows directly. 

Corollary 1. If P Q, then P Q- 

The relation = is ‘compatible’ with the translation. For example, if 0; x, x, x' = 
S; y, X, y', then 0, z' P x'^ x'; y, z' = S, z' P x ^ y'; y, z' holds. In particular, 
if t° = u°, then {Xx.t)° = {Xx.u)° and so forth. 

Next, we prove the following theorem: 

Theorem 1. Let t and u be linear X-terms. Ift u, then t° =^r= u° , i-e, t° 
goes to a term which is =>r— to u° . 

To verify the theorem, we define a concept which corresponds to substitution. 

Definition 5. For P = 0; x,x,x' and Q = S; y,y', we define P[x ^ Q] 

0, S,x P y'; x,y,x'. 

Intuitively, P[x Q] is a process where an “input port” a; of P is connected to 
the “output port” of Q. The following figure illustrates this. 




Proposition 3. For all linear X-terms t and u, and for all free variable x in t, 
{t[u/x])° = t°[x ■(— u°]. 
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Proof. Let u° = S\y,y' . The proof is done by induction on the construction of 
t. Note that x occurs in t exactly once. In this proof, the ‘compatibility’ of = 
with the translation described above is used. 

Proposition 4. For each rewriting rule I r of P -reduction, we have 1° =^r— 
r° . That is, 



{{Xx.t)u)° => 1 -= {t[u/x])°. 

(let ti ®t 2 be yi <S> y 2 in u)° ^r= {u[ti / yi , t 2 / y 2 ])° ■ 

(derelict (promote i for x in u))° =>r= {u[t/x])°. 

(discard (promote i for x in u) in s)° =>r— (discard i in s)°. 

(copy (promote i for x in u) as y^y"^ in s)° =>r— (copy i as z^,z^ in 

s[promote z^ for x^ in / y\ 
promote z'’ for x^ in u'" / y^])° ■ 

Proof. For the proof of the first claim, let t° = 0; x,x,x' and u° = y,y'. 

Then, {Xx.t)° = 0; z' T a: ^ x'; x, z' and so 

{{Xx.t)u)° = 0, S, z' -L X ^ x', z' -L y' (E) w'] x, y, w' 

-^ro 0, S, X ^ x' J- y' E> w'\ X, y, w' 

V /n — ' I / / I / - - / 

(y^^^x±y^x ± w ; x^y^w 
= 0, S, X 1. y'; X, y, x' = t°[x <r- u°] = {t[u/x])° 

The last is by Proposition 3. The other four claims can be proved similarly. 

The proof of Theorem 1 is by induction on the derivation of t — u. 

From Theorem 1, we can conclude that the /3-reductions in linear A-calculus 
roughly correspond to the reaction rules except the communication rule in 
LCHAM. 

The commuting conversion is defined as follows. Let f{t) stand for either 
(let s be a; (8> 2 / in t), (discard s in t), or (copy s as x,y in t). And let gft) stand 
for either (tu), (let the z\® Z 2 in u), (discard t in u), (copy t as zi,Z 2 in u), or 
(derelict(t)). Then, the commuting conversion is by definition g{f{t)) -^c f{g(f))- 
For example, (let s be a; (8> y in t)u -^c let s be a: (8> y in tu. The commuting 
conversions expose ‘hidden’ redexes in terms. 

We can prove that commuting-convertible linear A-terms are identified when 
translated into pexp. More precisely. 

Proposition 5. If t, u are linear X-terms and t -^c u, then t° = u° . 

Proof. We have only to check all the entries of commuting conversions. For exam- 
ple, if s° = 0; X, x', t° = E; y, y' and u° = II;z, z', then both ((discard s in t)u)° 
and (discard s in tu)° turn out to be 0,E,II, x' T _, y' T z' ® w'; x,y,z,w'. 
Thus, the translation is preserved via a commuting conversion 
(discard s in t)u -^c discard s in tu. The other cases are all done in the same way. 
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4 Principal Typing Theorem of LCHAM 

Next, we prove the principal typing theorem of lcham: 

Theorem 2 (Principal Typing). There is an algorithm such that given a 
PEXP P, 

1. if P is typable, then it computes a principal type, 

2 . or else it terminates by outputting “not typable”. 

Here, 

Definition 6 (Principal Typing). We write 11-0; t \ P, when for all A, these 
are equivalent: ( 1 ) \~ 0; i : A, and (2) A = Pa for some substitution a. 

P is called a principal type of 0; i. It is easy to see that P is unique up to 
renaming of type variables. Hereafter, we write pt(0; t) to represent P. 

In LCHAM, a type-assertion may have many derivations, unlike a type system 
of A-calculus. In particular, a type-assertion h 0, S'; P, A, t : A® B can be 
inferred from h 0; P, t : A and h S; A, u : B hy an inference rule R=Times, 
but it may also be inferred by R from another h • • • ,t : A and h ■ ■ ■ ,u : B. 
The same annoyance arises when R is a Cut-rule. This is why the algorithm we 
will construct in the proof is non-deterministic, while the algorithm for principal 
types of A-terms is deterministic. 

In Subsection 4.3, we will present the algorithm, and will prove the ter- 
mination property and the correctness. The correctness proof consists of the 
verification of Theorem 2 (1) and (2). Theorem 2 (1) will be proved by using 
the Principal Inference Lemma (i.e.. Proposition 7 and II) in Subsection 4.1, 
and (2) will be proved by using the Generation Lemma (i.e.. Proposition 10 and 
Proposition 6) in Subsection 4.2. 

Hereafter, for sequences P and A of formulas, we denote by mgu(r' ; A) a 
most general unifier 6 such that P9 = AO. Note that it is computable. 



4.1 Easy Part of the Proof 

Proposition 6 (Generation Lemma, part 1). 

1. //h 0; P, ti^ t 2 : C , then C is of the form A'^ B and\- 0; P, t\ : A, t 2 : B. 

2. If h 0; P, inl(t) : C, then C is of the form A © R and h 0; P, t : A. 

3. If h 0; P, inr(t) : C, then C is of the form A® B and h 0; P, t : B. 

4 . If\~0; P, Q : C , then C = 1. and h 0; P. 

5. 7/ h 0; P, C , then C is of the form 7 A and h 0; P. 

6 . If h 0; P, It : C , then C is of the form ?A and h 0; P, t : A. 

7. If h 0; P, ti@t 2 '■ C, then C is of the form ?A and h 0; P, ti : C,t 2 '■ C. 

8 . If X : P, x{0',i,t) : A, then for some P' , A' , we have P =1P' and 

A = \A' and (-0; i : P, t : A' . 

9. If\-;x:P, x{0i;ti, ui || 02; ^ 2 , U 2 ) : C , then C is of the form Ai & A 2 , and 
h 0,; ti : P, Ui : Ai for i = 1,2. 
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Proposition 7 (Principal Type inference, part 1). The following are ad- 
missible inference rules. 



\\- 0; r, t : A, u : B 



\h0; r,t: A 



t 



\\-0; r,t: A 



\\- 0; r, t ^ u : A^ B \\- 0; B, inl(t) : A © a Ih 0; P, inr(t) : a i 

Ih 0; P Ih 0; P Ih 0; P, t : A 

Ih 0; P, 0 : ± Ih 0; P, _ : ?a ' Ih 0; P, ?t : lA. 

\\- 0] r, t : A, u : B /x = mgu(A; B), v = mgu( ?a; A/x) exist 
Ih 0; P t @u : Afiv 
\\- 0; i : r, t : A /x = mgu(P ; ?a) exists 
Ih ; X : r fj., x(0; i, t) : lAfi 



t 



t 



Ih 0; t : P, t : A Ih ^ ; m : P', u : B /x = mgu(P ; P') exists 
Ih ; X : r fj., x(0; i,t \\ S;u,u) : {ASz B)gi 



1 



(]) a is a fresh type variable. (^) The premises of the form Ih • • • share no 
variables. 



4.2 Difficult Part of the Proof 

As we explained in Section 2, a linear pexp represents a skeleton of a proof 
strncture. It is well-known that correctness of a proof strncture depends mainly 
on the skeleton. We introduce locally correct assertions, which correspond to 
‘proof structures.’ 

Definition 7 (Locally Correct Assertion). An assertion \~i 0; t : T, which 
we call a locally correct assertion, holds if and only if it is derivable in the 
inference system lcham'. Here LCHAm' is obtained from lcham by replacing 
the Cut-rule and the Times-rule with the following four rules: 

h 0; P h A h 0-, B, t -. A, u -. A^ h 0-, r, t -. A, u -. B 

h/ ; hj 0, S'; P, A * h/ 0, t P u; P \~i 0] T, t ® u '. A<^ B 

Intuitively, the derivation of h/ 0; f : P corresponds to a proof structure [9] 
with conclusions P. It is easy to see the following: 

Proposition 8. 1. If h/ 0; P, u\®U 2 : C , then C must be of the form A® B 
and hj 0; P, u\ : A, U 2 : B. 

2. If h/ 0, Ml -L U 2 ', P, then there is an A such that h/ 0; P, mi : A^, U 2 : A. 



Proposition 9. If hj 0; P and 0 © 0', P © P', then hj 0'; P'; provided that 
0'; r' = 0';i' : T" for some linear pexp 0';i' . 

Proof. By induction on the deduction of hj 0; P. 
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Theorem 3. For a typable pexp 0; t, h 0; t : F if and only if \~i 0; t : F. 



Proof. The only-if part. Note that for each rule 



\- Ql ■ ■ ■ Qn 
h p 



of the system h, 



if in the system \~i we assume \~i Qi • • • \~i Qn as axioms, we can infer \~i P by 
using the Mix-rule. Therefore, we are done. The if part. Because 0; t is typable, 
there is some A such that (-0; t : A. The proof is by induction on the height 
of this derivation. 

If the last rule is the Times-rule, the derivation ends with 



h 0i\ ti : Z\i, Ui : Ai {i = 1, 2) 

h 01, 02', ii : Z\i, t2 ■ A2, ui ^ U2 ■ Ai (8> A2 



By Proposition 8, h/ 0; t : P must be of the form h/ 0; ti : Fi, t 2 ■ P 2 , U\®U 2 '. 

(g) A' 2 . Moreover, hj 0; t\ : A, ^2 : A, u\ : U 2 '. A' 2 . We note that each 

0i',ii,Ui is linear. Hence, by Proposition 9, hj 0,; ii : Pi,Ui : A'. By induction 
hypotheses, h 0i; ii : Fi,ui : A'l and h 02', ^2 : A,M 2 : A' 2 . Then, by applying 
the Times-rule we can conclude h 0i, 02; ii : Fi,i 2 ■ A, U\®U 2 '. A'^ ® A' 2 , i.e. 
f- 0; i '. F. The other cases are easy and similar. 



Proposition 10 (Generation Lemma, part 2). 

1. Suppose some deduction ends with 

h 0 i; ti : A, Ui'. Ai h 02 ; ^2 : A, ^2 : ^2 ^ ^ r a jr 

- . ^ . ■ Then ifh 01, 02; h : 2ii, t 2 : 

h 0; t : i , Ml g) «2 : Ai (g) A 2 

A 2 , U\®U 2 : C , then C is of the form Bi g A and h 0f, U : Ai, Ui : A 
(* = 1 , 2 ). 

2. Suppose some deduction ends with 

0i; ti : Fi, ui : A h 02; ^2 : A, U 2 : < n n 1 

I- 0, Ui ± M2; t '. 1 

Z\i, t 2 : A 2 , there is a B such that h 0i; t\ : Ai, ui : B and h 02; ^2 : 
Z\2, M2 : B^. 



Proof. The premise implies through Theorem 3 that h/ 0i,02;ti : A,t 2 : 
A, Ml g M 2 : C. By Proposition 8, h/ 0i, 02; ti : A, ^2 : A, : Bi, M 2 : A and 
0 = Hi g A for some Bi and A- Because the premise (*) : h 0i',ii : Fi,Ui : Ai 
implies the linearity of 0i',ii,Ui, Proposition 9 implies h/ 0^; ii : Ai, Ui : Bi, 
and because of (*), Theorem 3 implies P 0*; ii : Ai, Ui : Bi. The second claim 
can be proved in the same way as above. 



Proposition 11 (Principal Type Inference, part 2). The following are ad- 
missible inference rules. 

IP 0i; ti : Pi, Ui : Ai {i = 1, 2) 

IP 01, 02; ti : A, ^2 ■ A, Ml g M2 : Ai g A 2 
IP 0,; ii : Fi, Ui : Aj (* = 1, 2) fj, = mgu(Ai; A^) exists 
IP 01, 02, Ml ± M 2 ; ti : Am, t2 : Am 

The premises of the form IP • • • share no variables. 
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Proof. To prove the admissibility of the first inference rule, let h 6*i, © 2 ; : 

Ai, t 2 ■ A 2 , ui ® U 2 : C. The premise of the rule implies the existence of a 
deduction ending with 

h 0i\ ti : Pi. Ui : Ai (i = 1, 2) 

= = . By Proposition 10, C is of the 

h © 1 , © 2 ; ti : Pi, t 2 '■ P 2 ,_ui (8> U 2 '■ Ai (8> A 2 
form A[ (S> A '2 and h p : Pi, Ui : A'i with i = 1,2. Thus, for some (t,, 
Ai = PiGi and A' = Aiai. Because of the side condition, we have Ai = Pia 
and Ca = {A\ ® ^ 2 ) 0 ' for a being defined below. If a occurs in Pi,Ai, then 
a{a) is CTi(a), or else it is a. Hence we are done. The admissibility of the second 
inference rule can be shown in the same way. 



4.3 The Algorithm for Principal Type 

To compute pt(P), do the following: 

1. If P is of the form 0;t,ti ^ t 2 , then: «/ pt(©; t, ti, ^ 2 ) = [P,A,B], then 
pt(P) = [P,A'^ B], else failure. 

2. If P is of the form ©;t, inl(t), then: if -pt{0;t,t) = [T, A], then pt(P) = 
[T, A® a], else failure where a is a fresh type variable. 

3. If P is of the form 0;t,\nr{t), then: if -pt{0;t,t) = [P,A], then pt(P) = 
[T, a © A] , else failure where a is a fresh type variable. 

4 . If P is of the form 0;i,Q, then: z/pt(©;t) = [T], then pt(P) = [T, T], else 
failure. 

5. If P is of the form 0;i,_, then: ?/pt(©;t) = [T], then pt(P) = [P, ?a], else 
failure. Here a is a fresh type variable. 

6. If P is of the form 0; i, It, then: ifpt{0; i, t) = [T, A], then pt(P) = [P, ?A], 
else failure. 

1. If P is of the form 0; i, p @t 2 , then: j/pt(©; i, t, u) = [P, A, B] and both of 
pi = mgu(A; P) and v = mgu( ?a;A^) exist, then pt(P) = PpLiy,Ap,iy, else 
failure. 

8. If P is of the form ; then pt(P) = [1] . 

9. If P is of the form ]x,x, then pt(P) = where a is a fresh type 

variable. 

10. If P is of the form ■,x,x{Q), then: ifpt{Q) = [P, A], and if y: = mgu(P; la) 
exists (where a is a list of fresh names), then pt(P) = [P y,, \Ay\. Otherwise, 
failure. 

11. If P is of the form -,x,x{Q || Q'), then: ifpt{Q) = [Pi, A], pt(Q') = [P 2 ,P], 
and y = mgu(Pi; P 2 ) exists, then pt(P) = [Piy, (A & B)y\. Otherwise, fail- 
ure. 

12. Otherwise, let P = 0\t. For every decomposition of the form 0 = ©i ,©2 
and i = ti,t 2 ,U\ ® U 2 , try to compute pt(©i;ti,ui) and pi(0 202 ,^ 2 ). If it 
fails for every decomposition, go to 13. If it succeeds for a decomposition, let 
the result be [P, A] and [A, B] . Then, pt(P) = [P, A, A® B]. 

13. For every decomposition of the form 0 = © 1 , © 2 , U\ T U 2 and t = ti, t 2 , try 
to compute pt(©i;ti,ui) and pt(© 2 ; ^ 2 , ^ 2 ). If it succeeds for a decomposi- 
tion, let the result be [P, A] and [A,B]. If mgu{ A; B^) exists, then pt(P) = 
[P y, Ay] . Otherwise, failure. 
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This algorithm terminates for any input, because the number of constructors 
in P decreases strictly at each step. Moreover, the correctness of each step is 
verified as follows: When P is typable, let tt be a derivation of it. Then we can 
show that pt(P) is a principal type of P, by induction on tt, by using Proposition 
7 and Proposition 11. When P is not typable, it outputs “failure,” because of 
Proposition 10 and Proposition 6. Thus, the proof of Theorem 2 is completed. 

5 Concluding Remarks 

Mackie [10] introduced a version of linear A-calculus, a translation from the 
calculus to a proof structure, and studied efficient implementation of call-by- 
(name/value/need) evaluation of the A-calculus. 

By using LCHAM and the extension, we will analyze computation of linear 
A-calculi neatly. Then we will study the (sub)computation can be encapsulated 
(and parallelized) in recent concurrent calculi. 

References 

1. S. Abramsky. Computational interpretations of linear logic. TCS, 111:3-57, 1993. 

243, 244, 244, 245, 246, 246, 249 

2. G. Beilin and P. Scott. On the rr-calculus and linear logic. TCS, 135:11-65, 1994. 
244 

3. N. Benton, G. Bierman, J. Martin E. Hyland, and V. de Paiva. A term calculus 

for intuitionistic linear logic. In M. Bezem and J. F. Groote, eds., Typed Lambda 
Calculi and Applications, Proceedings, vol. 664 of LNCS, pp. 75-90. 1993. 244, 

244, 244, 247 

4. N. Benton and P. Wadler. Linear logic, monads and the lambda calculus. In 
Proceedings of the 11th LICS, pp. 420-431, 1996. 244 

5. G. Berry and G. Boudol. The chemical abstract machine. In Conference Record 
of the 17th POPL, pp. 81-94 1990. 243 

6. L. Cardelli and A. D. Gordon. Mobile ambients. In M. Nivat, ed., Foundations of 
Software Science and Computational Structures, vol. 1378 of LNCS, pp. 140-155, 
1998. 243 

7. J. Chirimar, C. A. Gunter, and J. G. Riecke. Proving memory management in- 
variants for a language based on linear logic. In Proceedings of the 1992 ACM 
Conference on Lisp and Functional Programming, pp. 139-150. 1992. 244, 244 

8. C. Fournet and G. Gonthier. The reflexive cham and the join-calculus. In Confer- 
ence Record of the 23rd POPL, pp. 372-385, 1996. 243 

9. J.-Y. Girard. Linear logic. TCS, 50:1-102, 1987. 243, 245, 246, 246, 254 

10. I. Mackie, The Geometry of Implementation, Imperial College of Science, 1994. 
244, 257 

11. I. Mackie. Lilac — a functional programming language based on linear logic. JFP, 
4(4):395-433, 1994. 244 

12. J. Maraist, M. Odersky, D. N. Turner, and P. Wadler. Call-by-name, call-by-value, 
call-by-need and the linear lambda calculus. TCS, special issue on papers presented 
atMFPS’95. 244 

13. S. Mikami. A theory of a rewriting system based on proof-reduction of lin- 
ear logic. Senior thesis, ftp://nicosia.is. s.u-tokyo.ac.jp:pub/staff/mikami/lcham.ps, 
1996. 245 

14. R. Milner. Communication and Concurrency. Prentice Hall, 1989. 249 



Resource Interpretations, Bunched Implications 
and the o:A-Calculus 
(Preliminary Version) 



Peter W. O’Hearn 
Queen Mary & Westfield College 



Abstract. We introduce the aA-calculus, a typed calculus that includes 
a multiplicative function type alongside an additive function type 
— It arises proof-theoretically as a calculus of proof terms for the logic 
of bunched implications of O’Hearn and Pym, and semantically from 
doubly closed categories, where a single category possesses two closed 
structures. Typing contexts in aA are bunches, i.e., trees built from two 
combining operations, one that admits the structural rules of Weakening 
and Contraction and another that does not. To illuminate the conse- 
quences of aA’s approach to the structural rules we define two resource 
interpretations, extracted from Reynolds’s “sharing reading” of affine 
A-calculus. Based on this we show how aA enables syntactic control of 
interference and Idealized Algol, imperative languages based on affine 
and simply-typed A-calculi, to be smoothly combined in one system. 



1 Introduction 

The logic BI of bunched implications has two implications, one additive (^>) 
and the other multiplicative ), which it accepts on an equal footing [18]. 
It may be viewed as a merging of intuitionistic logic (IL) and multiplicative, 
intuitionistic linear logic (MILL), where the two subsystems are combined by 
using contexts F in sequents F \- A built from two combining operations, 
and . Instead of lists, contexts are trees with internal nodes labelled by or 
or in brief, bunches. By allowing the two context-forming operators to nest 
arbitrarily deeply in a bunch the two subsystems intermix freely. 

Here we consider BI from the point of view of types, by using its rules to 
typecheck terms in what we call the aA-calculus. Pym introduces aA indepen- 
dently in a separate paper, as part of his account of the theory of propositional 
BI [20], and establishes some basic properties of the calculus, including com- 
pleteness and strong normalization. Our focus here is more on the use of BI as a 
type system, and especially the semantic and computational implications of its 
approach to structural rules. 

Bunches first arose in work on relevant logic in the seventies [9] , where they 
were used to manage interactions between additive (or extensional, in the rele- 
vant terminology) and multiplicative (or intensional) connectives. (See [18] for 
an account of the relation of BI to relevant and other substructural logics.) The 
crucial point is that, with bunches, it is possible to control access to structural 
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rules by allowing them for one form of combination but not another. For exam- 
ple, the rules of Weakening and Contraction for the form of combination can 
be stated as follows: 



r{A) h B 
r{A-A') V- B 



Weakening 



r{A;A) h B 
r{A) h B 



Contraction 



where notation of the form B{A) indicates a bnnch with A appearing as a 
subtree. BI accepts Weakening and Contraction for but not for 

Onr main concern in this paper is with how this bunch-based approach to 
the structural rules impacts the meanings of function types. That is, the two 
implications should evidently correspond to function types B and A ^ B; 
but for what kinds of functions? 



1.1 Prom Doubly Closed Categories to ocX 

To see how the oA-calculus arises semantically, consider that an introdnction 
rnle for a fnnction type typically corresponds to an adjunction. That is, a typing 
rule 

r,x: A^ M : B 
Bh Xx.M : A^ B 

corresponds to an isomorphism of maps of the corresponding shape in a closed 
category 

r^A — >B 
r — > {A => B) ' 

Now, snppose that we have a doubly closed category, i.e., a single category 
eqnipped with two monoidal closed strnctnres instead of only one: 

r f\ A — > B r * A — > B 

r — ^ (A r — y {A ' 

To match this sitnation, we extend the syntax of typing contexts with an addi- 
tional combining operation, semi-colon, which allows us to formulate introduc- 
tion rules corresponding to the two adjunctions: 

r-,x : Ah M : B r,x:AhM:B 

rhax.M :A^ B Bh Xx.M : A^ B ' 

This leads directly to the nse of bnnches for typing contexts. The resulting calcu- 
1ns is named after its binders: a for the additive binder, and A for multiplicative, 
or Ainear, binder. 

The language we consider admits Weakening and Contraction for but 
not for , and both forms of combination will be commutative. But the same 
scheme can be used for other combinations, such as for non-symmetric monoidal 
strnctures, and even more than two. 

The aA-calcnlus contains simply-typed A-calculus and multiplicative, intu- 
itionistic linear A-calcnlus as snbsystems. Various forms of linear A-calculus also 
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contain the two snbsystems [1,5,24,3], but aA’s approach is rather different. 
Where linear logic uses a modality “!” (or sometimes distinct zones in contexts) 
to control access to the structurals, in aA access is governed by the two means of 
combination. The difference can be stated crisply in terms of categorical models. 
In models of linear logic two closed categories are involved, where one is often 
presented as a Kleisli category [5,4,3]. For instance, in the original coherence 
space model there are indeed two function types, but — o is closed structure in 
the category of linear maps, while the additive which can be represented as 
\A^ B, is closed for the category of stable maps. In contrast, in a doubly closed 
category the two closed structures must reside in one and the same category. 
(Again, we refer to [18] for a detailed account of the relation to linear logic.) 

Categorical semantics makes the formal difference of BI’s, and aA’s, approach 
to the structural rules very clear, but the point of view on function types it offers 
is very abstract. We can investigate the implications of these structural prop- 
erties further, and more concretely, by considering “resource interpretations” of 
the types. 

1.2 The Sharing Interpretation 

The sharing reading of the aA-calculus has two main sources of inspiration. One 
is Girard’s vivid depiction of linear logic as “resource sensitive” [10,11]. The key 
point, for us, is the focus on the significance of controlling Contraction; this has 
been explained in linear logic with the number-of-uses reading, where a linear 
function / : A—o B is one that uses its argument exactly once. 

The other main source is Reynolds’s syntactic control of interference [21], 
which is based on a novel reading of the affine A-calculus. We extrapolate from 
this reading to arrive at what we call the sharing interpretation of aA. 

The background idea for the sharing interpretation is of functional program- 
ming data such as functions, pairs, etc, but with an additional, intensional, no- 
tion of resources that computational entities are allowed to access. The reading 
of function types is as follows. 

A^ B: functions that have access to disjoint resources from their arguments. 

A ^ B: functions that have access to the same resources as their arguments. 

The bare statement of the interpretation is so direct that, at first glance, it 
may seem as if it must amount to the same thing as resource interpretations 
for other systems that control the structural rules. For, if we think of a con- 
text, roughly, as corresponding to a collection of resources, then use of separate 
contexts in an elimination rule for a multiplicative implication -*i= directly ex- 
presses the disjointness mentioned in the informal interpretation, and the use of 
a common context in a rule for the additive corresponds to the sameness. 

B A\-A r\- A^B r\- A 
r, Ah B rh B 

However, there is an important point to notice: the reading places no constraint 
on how many times a ->i' -typed function uses its argument, it just cannot be 
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applied to arguments accessing the same resources. In fact, we will even show 
in Section 2 that the aA-calculus allows multiplicative functions that use their 
arguments many times, or not at all. This exemplifies the interactions between 
multiplicatives and additives permitted by the sharing interpretation. More gen- 
erally, and speaking figuratively, we would suggest that this bunch-based control 
over strnctnral rules can be nnderstood as being abont who has access to what, 
rather than how often a piece of data is nsed. 

Strictly speaking, the sharing interpretation as stated above is for the linear 
version of the aA-calculus. The reading for the affine variant, which admits 
Weakening for the multiplicative combination , is obtained by changing the 
interpretation of the additive fnnction type. 

B: functions that don’t share resonrces with their arguments. 

A ^ B: functions that may share resources with their arguments. 

The use of “may” here indicates that an additive function might share resonrces 
with its argument, but it does not have to. In the affine language this will be 
reflected in the fact that fnnctions of type A ^ B can be converted to functions 
of type A^ B. 

1.3 Syntactic Control of Interference 

The affine interpretation just given is derived directly from syntactic control 
of interference and Idealized Algol, two imperative languages due to Reynolds 
[21,22]. The key difference between functions in the two languages is that in 
Idealized Algol a function is allowed to interfere, by use of common storage, 
with its argument, while in syntactic control it is not. One might even say that 
the answer to the question of what kind of functions correspond to bnnched 
implications preceded (in the affine case) the question. 

In fact, our original interest in a calcnlus like aA stemmed from an observation 
about a specific model that had been used for the two languages separately. 

“The semantic model presented here posesses two kinds of exponen- 
tial, one for the monoidal closed strnctnre, and another, adjoint to x 
for cartesian closed structure. This raises the question of whether in- 
terference control and uncontrolled Algol can coexist harmoniously in 
one system . . . An interesting point to note is that here the two kinds 
of closed structure coexist in the same category, so there is no need to 
pass to a separate category, such as a Kleisli category, to interpret the 
intuitionistic (i.e., Algol’s) function type. [13]” 

In Sections 5 and 6 we show how the affine variant of the aA-calculus does 
indeed give rise to the requested enveloping language. There we give a brief 
introduction to syntactic control, emphasizing the unusual nature of its sharing 
interpretation. We also discuss limitations which motivate the question of an 
enveloping language containing both it and Idealized Algol. 

The linear sharing interpretation will not be developed in detail in this pre- 
liminary paper, beyond a simple model in Section 3 intended to illustrate the 
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basic ideas. At a later time we plan to show how the linear aA-calculus can also 
be used to control interference, but where banishing Weakening leads to addi- 
tional positive properties that enable the dynamic extent of resources such as 
pointers to be controlled. 

2 The aA-calculus 

The definition of the aA-calculus is motivated by models as follows. 

Definition 1. A (symmetric) doubly closed category, or dec in short, is a cat- 
egory equipped with two symmetric monoidal closed structures (/, *, -* ) and 
(1, A, ). A dec is called cartesian if one of the monoidal structures, say (1, A), 
is cartesian, affine if it is cartesian and the two units 1 and I are isomorphic, 
and bicartesian if it is cartesian and has finite coproducts. 



Models of the version of aA here 


are given using cartesian dec’s. Full BI, which 


includes additive disjunction, uses bicartesian dec’s. 


2.1 The Basic System 




Types 




A ::= p 


primitive types 


\A*A 


multiplicative product 


\AaA 


additive product 


A^ A 


multiplicative exponent 


\A^A 


additive exponent 


(We do not include types for the units of the products here; but these, and the 
additive disjunction of BI, pose no substantial difficulties for our purposes.) 


Bunches 




r ::= x: A 


identifier assumption 


1 ^ 


multiplicative unit 


\F,F 


multiplicative combination 


|1 


additive unit 


1 r-F 


additive combination 



The essence of the two forms of combination is that admits Weakening and 
Contraction, whereas does not. Bunches are subject to the restriction that no 
identifier may occur twice in the tree. This restriction determines implicit side 
conditions on some of the rules below. We write T(Z\) to indicate a bunch in 
which A appears as a subtree, and r{A') for the similar tree where A' replaces 
A. i{r) is the list of identifiers encountered one after the other in an inorder 
traversal of the tree F. F = A indicates that F and A are isomorphic as trees; 
i.e., one can be obtained from the other by a suitable renaming of identifiers. 
Isomorphism is used in the formulation of Contraction below. 

We won’t try to come up with a more compact representation of bunches us- 
ing, say, sets or sequences instead of binary operators; the real point of bunches 
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is to let us get the a- and A-abstractions right. We use an equivalence on trees 
instead of worrying about representation. 



Coherent Equivalence: F = F ' . 

= is the smallest equivalence relation on bunches satisfying 

1 Commutative monoid equations for 1 and ; 

2 Commutative monoid equations for I and , 

3 Congruence: A = A' then F{A) = F{A') 

Note that and do not distribute over one another. 



Typing Judgements 
These are of the form 



Fh M -.A 



where the terms M are defined in the following rules. 
Identity and Structure 



X : A h X : A 



Id 



Fh M -.A 
Ah M :A 



(where A = F) 



F{A) \- M :A 
F{A;A') h M : A 



F{A]A') h M -.A 
F{A) h M[i{A)/i{A')] : A 



C (where A 



A') 



Additives 

Fh M ■. A Ah N -.B 
F-,Ah{M,N)-.AAB 



Fh M : Ai A A 2 
F h TTi M : Ai 



AE (where i is 1 or 2) 



F-x : Ah M : B 
F h ax . M : A ^ B 



Fh M :A^ B Ah N : A 
F;AhMN :B 



E 



Multiplicatives 

Fh M ■. A Ah N -.B 
F,AhM*N: A*B 

F,x: Ah M : B 
Fh Xx.M : A^ B ^ 



F{x : A,y. B) h N : C AhM:A*B 
F{A) h let {x,y) = MinN : C 

Fh M :A^ B Ah N : A 

F,Ah M@N : B ^ ^ 



Equations 

{ax.M)N = M[N/x] {ax.Mx) = M {x ^ free{M)) 

{\x.M)@N = M[Nlx] (Xx.M@x) = M {x ^ free{M)) 

tti{M,N) = M (7riM,7T2M) = M 

7T2{M,N) = N 

(let {x, y) = M in X * y) = 



(let {x,y) = Ml = 1 = M 2 in N) 
= N[Mi/x,N2/y] 



M 
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The left and right columns contain P and rj laws for each connective. A fuller 
treatment of let requires commutative conversions; these and the question of 
normalization are considered in [20] . 

Since admits Weakening and Contraction, we can derive rules where the 
additive maintenance of premises is explicit. 

Lemma 2. The following are admissible rules. 

Th M -.A^B Th N -.A T h M : A T h N : B 
r h MN : B r \- (M,N) : AAB 

The cut lemma, asserting that substitution preserves well-formedness, is for- 
mulated for identifiers appearing arbitrarily deeply in a bunch. 

Lemma 3. The following is an admissible rule. 

r{x : A) h M : B Ah N :A 
T{A) h M[N/x] : B 

Using this lemma, we obtain the following admissible rules 

T,x:AhM:B Ah N : A T-x: Ah M : B T h N : A 
r,Ah M[N/x] : B T h M[N/x] : B 

r{x : A,y: B) h M :C A h N : A A' h N' : B 
T{A, A') h M[N/x, N'/y] : B 

where the top right rule uses Contraction together with cut. 

Lemma 4. (3 reduction preserves typing. 

(where reductions are obtained by reading the equations left to right) 



2.2 The Affine Variant 

The affine variant extends the basic calculus as follows. 



Affine Coherent Equivalence adds 
4/^1 

to Coherent Equivalence. 



Convertability of TO 

r{A;A') h M -.A 



Conv 



r{A,A') h M -. A 
Equations. There are additional equations for projections for *. 
{let (x,y) = M * N inx) = M (let (x, y) = M =i= A in y) 



Lemma 5. Weakening for is admissible in the affine variant. 

r(A) h M :A 

1 — 1 W 

T{A,A')hM-.A ’ 



= N 
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2.3 Trivial Examples 

Given a judgement x : A h x : A we cannot immediately use an introduction 
rule to type an identity function of type A ^ A or A ^ A, because to apply an 
introduction rule for a function type we must have a context of the form F,x : A 
or F] X : A. So we need to use coherent equivalence first. 



X : A\- X : A 
1-, X : A \- X : A 
1 h ax . X : A A 



X : A\- X : A 
I,x : A\- X : A 
I h Xx . X : A^ A 



Using coherent equivalence we can also mimic the isomorphisms 



[1,^ B] ^ [A,B] ^ [I,A^ B] 



of horn sets in a dec. 



x: A^ M : B 
1; X : A \- M : B 
1 \- ax . M : A B 



x: A^ M : B 
I,x : Ah M : B 
I h Xx.M : A^ B 



Ih M :A B x:Ahx:A IhM : A^ B x:Ahx:A 
l;x:A\-Mx:B I,x : A\~ M@x : B 

X : A\- Mx : B x : Ah M@x : B 

A ^ B and A^ B are not convertable to one another in general, but in the 
affine variant we can go from the former to the latter. 

f : A^ Bh f : A B x' ■. Ah x' ■. A 

f : A^ B,x : Ah f : A B ' f : A ^ B, x' : A h x' : A 
{f : A ^ B,x : A) ■ {f : A ^ B,x' : A) h fx' : B ~ 
f : A ^ B , X : A h fx : B 
f : A ^ B h Xx. fx : A^ B ^ 

2.4 Unusual Examples 

In the aA-calculus we can have a multiplicative function that uses its argument 
many times. For example, in the following, a variable abstracted using A, the 
multiplicative abstraction, appears multiple times in the body of the term. 



x\ f h f X : A ^ B x\fh X : A 

X : A', f : A ^ A ^ B h {f x) X : A ^ B ’ 
X : Ah af . {f x) X : ((A A ^ B) ^ B) 
I,x : Ah af . {f x) X : ((A A ^ B) ^ B) 

I h Xx . af . {f x) X : A ^ ((A A ^ B) ^ B) 



I 
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Here, in the key, top-pictured, step we use the admissible rule for elimination 
(or equivalently we use E followed by Contraction, with suitable renaming of 
premises). 

This term seems unusual, or wrong, if one thinks of a number-of-uses read- 
ing. But it is justified by the sharing interpretation. To see why, consider that 
the subterm / a; is of type A ^ B. According to the sharing interpretation, it 
is allowed to share with its argument, in this case x, which is why {f x) x is 
reasonable. On the other hand, the sharing interpretation would not support an 
application {f@x)@x where / had type A^ B. 

Similarly, we can have a multiplicative function that doesn’t use its argument 
at all. 

y.B^y.B 
X : A; y : B h y : B 
X : A h (ay . y) : B B 
I,x:A\-(ay.y):B B ~ ^ 

I h A* . (ay. y) \ A ^ (B B) 

It is instructive to compare the corresponding types in linear type theory. 
For the first example, the type would be A^ !(!A^ lA^ B)^ B. In trying to 
derive a term we could A-abstract on a; : A and function parameter /. But then, 
to apply (the dereliction of) / to x, we would need to convert x to something of 
type lA, and we cannot do a conversion from A to lA in general. Similarly, for 
the type A^ IB—o B we can abstract on a; : A and y : IB, but we cannot throw 
X away. 

These examples serve to illustrate that the idea that a multiplicative function 
uses its argument exactly once does not directly carry over to aA. 



3 Two Models 

In this section we give two simple models, which express some aspects of the 
informal sharing interpretation. 

The definition of the aA-calculus is close enough to its models - it was, in 
fact, extracted from them - that the interpretation of (derivations of) typing 
judgements should be evident. We concentrate on models themselves here. (A 
thorough account of the relation between syntax and semantics, including co- 
herence and a completeness result, may be found in [20].) 



3.1 A Linear Model 

Let B be the category of finite sets and bijections. The functor category Set® 
will be used as a model of the aA-calculus. 

We think of B here as a category of possible worlds, where each world X 
determines a finite collection of resources. For a functor A and element a e AX, 
we regard a as a computational entity of type A that has access to X. 
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The structure of the additives is determined pointwise; on objects it is 

IX = {*} 

{A A B)X = AX X BX 
{A B)X = AX ^ BX. 

Here, => is function space in Set, and x is cartesian product. The exponent 
A ^ B in a functor category is usually represented as 

{A^B)X = Set‘^[B[X,-]AA,B] 

but in the special case that all morphisms of B are isomorphisms this is equivalent 
to the pointwise representation. 

Notice how the pointwise definition corresponds closely to the informal read- 
ing of in the sharing interpretation, where an additive function and its argu- 
ment access the same resources. The additive function type has a strongly local 
character, where the application of a function stays located at a given world. 

The multiplicative function type, in contrast, explicitly refers to other worlds, 
which are set apart from X through the use of -I-. 

{A^ B)X = Set^[H(-),H(X-h-)] 

Here, -I- is the evident functor on B given by disjoint union of sets. The absence of 
X in A(-) mirrors the informal description of multiplicative functions as disjoint 
from their arguments. An element p e (A B)X accepts a world Y and element 
a e AY as arguments, and produces p[T]a e B{X + Y). The “resources” forp are 
X, while those for a are Y, and these are separate in the result type by virtue 
of their positions in the combined world X + Y. 

We give an example to illustrate the sharing aspect. Consider the inclusion 
functor L : B — )■ Set. For each finite set X, we think of LX = X as a set 
of names, or locations. Let N be the constant functor delivering the natural 
numbers, and define 

S = L ^ {IV {N AL)) 

where V is the coproduct of functors (which is defined pointwise). Because of 
the pointwise definition of we have that SX = X ^ {*} -|- (N x X). We 

regard an element s e SX as a representation of a portion of a computer store, 
where each a; e A is a pointer to a linked list (possibly with loops). 

Now consider any function / g ((S' A L) ^ ((S A L) ^ S))X. f accepts 
{s,x) G SX X X and {s',y) g SY x Y, for finite set Y, as arguments, and pro- 
duces a state in S{X -|- T) as a final result. From the point of view of S{X + Y), 
there is no overlap between x and y, or between the other pointers in the list 
pointed to by x and those pointed to by y. Thus, we can view f as a procedure 
that accepts two linked lists as arguments, with the proviso that the two input 
lists are defined using disjoint collections of pointers. This kind of proviso is 
often required in the statement of correctness of an algorithm that, say, removes 
the elements of one list that appear in the other. 
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On the other hand, consider the type L ^ {L ^ {S ^ S)). A function of 
this type would accept two pointers to linked lists as arguments, and the two 
pointer arguments would again have to be distinct, but now they could point to 
lists that overlap in the store. 

No particular practical significance is claimed for this example; it is offered 
just as a concrete illustration of how ^ and can express sharing properties. 
But in a future paper we plan to show how a type system based on the linear 
aA-calculus can be used to control pointer aliasing in an imperative language. 

Returning to the definition of the model, the multiplicative unit is I where 
-^({}) = {*}; = {} foi' ^11 other X. We refer to Section 4 for the 

definition of * (a concrete representation of it is given below). However, even 
prior to definition it is useful to observe that a multi-map characterization of 
maps out of A* B is forced by the definition of . That is, if we are to have 
the isomorphism Set® [A * B,C] = Set® [A, B ^ C], then we must obtain the 
following [7]. 

Maps p : A* B — > C out of a tensor are in hijection with families of 
functions 

p[X] [F] : AX X BY ^ C{X + Y) , 
natural in X and Y . 

The idea in terms of sharing is that the components of * are assigned different 
resources (this is in line with the form of semantics proposed by Reynolds for 
syntactic control of interference [15]). 

Proposition 6. Set® with this data is a cartesian dec. 

Let us reconsider the first example from Section 2.4 in light of this model. 
The judgement 

I \- Xx . af . {f x) X : A ^ ((A A ^ B) B) 

determines an element p e A ((A A ^ B) ^ .B){} (where we indulge in a 
confusion between types and objects in Set®). It accepts a world X and a e AA, 
and produces (using the isomorphism {} -|- A = A) a function p[X]a g ((A 
A ^ B) ^ B)X. By the pointwise definition of this is a function of type 
(AA => AX BX) => BX in Set, and it is the expected function that maps 
/ to ifa)a. 

Remark 7 A concrete representation of the multiplicative product can be given 
as follows. If n and m are natural numbers let [njrn] denote the set {n, ..., m — 1} 
and let |A| denote the size of a finite set A. Then 

{A*B)X = {(n, m, a G A[0|n], 6 G R[n|m]) I n -I- m = |A|}. 

Remark 8 It is important to see that there is no hidden Weakening or Con- 
traction for lurking in the examples of terms that use their arguments two 
or zero times. In fact, we can see that these rules are absent in Set in a very 
strong sense; there are not even any candidate maps of the required types to 
model them, let alone maps with the proper properties. 
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To model Contraction we would need maps of shape A — > A * A. But there 
are no maps L — > L * L, where L is the inclusion from B to Set. To see why, 
given a e L{a} we would have to produce an element in {L * L){a}, but this set 
is empty. For, the representation of * just given implies that an element would 
have to be of the form (0, 1 , 6 e L{}, b' e T{0}) or (1, 0, & e T{0}, b' e L{}), but 
there are no such elements as L{} is empty. 

To model Weakening, we would need maps A — ^ /, for all A. But there are 
no maps 1 — ^ I. 



3.2 An AfRne Model 

Let X denote the category of finite sets and injective functions. The functor 
category Set^ is cartesian closed, with finite products defined pointwise. The 
additive function type can be given a special representation, using the fact that 
any morphism in X factors into an injection X ^ X -\-Y into the left component 
of a disjoint union, followed by an isomorphism: 

{A^B)[X) = Set^[A(A + -),B(A+-)]. 

This accurately reflects the informal reading from Section 1.2, in that the pres- 
ence of X in the argument type A{X-\ — ) indicates how a function p e (A B)X 
may share access to X with its argument. 

The multiplicative function type once again expresses disjointness of a func- 
tion from its argument: 



(A B)X = Set^[A, B[X + -)] 

where + is the functor on X given by disjoint union of finite sets. 

In Section 2.3 we showed how to convert ^ to ->i' in the affine aA-calculus. In 
this model, the conversion takes a natural transformation A(A-| — ) — ;■ B{X -\ — ) 
and composes on the left with the map A — A{X -|- -) that sends a e AY to 
A{inr)a e A[X + Y), where inr is the right injection. Here, an additive function 
in world X is applied to an argument a e AY that doesn’t happen to depend 
on X. 

Once again we refer to the following section for *, and simply state 
Proposition 9. Set^ is an affine dee. 

We can try to use the inclusion functor L : X — > Set as a variant on the 
functor used to illustrate the linear sharing interpretation, but it has something 
of a different character in the affine model. It would not be as reasonable to think 
of s e (X (1 V {N A L)))X as a state, because s would have to accept other 
worlds T, and potentially y e XT, as arguments. So the development above, for 
the linear interpretation, does not carry through well to the affine case. However, 
a more thorough account of the sharing aspect of the affine model is given in 
Sections 5 and 6, where we study study syntactic control of interference. 
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Remark 10 When working with pullback preserving functors (which we always 
will), a concrete description of * is possible. The basic intuition is that we can 
define the support of any computational value, as the smallest collection of re- 
sources upon which it depends. For a e AX define supp(a) to be the smallest 
subset T C X such that a e range(Y ^ X)). Pullback preservation is enough to 
guarantee existence of such supports [12]. Then, for pullback preserving functors 

{A * B)X = {(a, b) e AX x BX \ supp{a) n supp{b) = {}}. 

Remark 11 There is no functor ! : Set^ Set^ admitting an isomorphism 
\A^ B = A B. To see why, consider the constant functor 2 which delivers 
the two element set {t, /}. Then 

{A^ 2)X = Set^[A,2(X-f-)] = Set^[yl,2] 

is independent of X, and so ^ ^ 2 is a constant functor. On the other hand, 
[A 2)X = Set^[^(X -I--), 2] depends on X, and is not necessarily (isomor- 
phic to) a constant functor. For instance, if L is the inclusion functor from I 
into Set, then (L 2){} has two elements, corresponding to the two constant 
functions into On the other hand, {L 2){a, 6} has elements that are 

not in the range of {L 2){f : {} ^ {a,b}). One such maps a to t and b 
to / (and all other inputs to, say, /). Therefore, no matter what “!” we try to 
pick, !L 2 will be a constant functor, while L 2 is not, so they cannot be 
isomorphic. This indicates that a dec is not simply a model of linear logic in 
disguise. 

4 Day’s Construction 

The material in the previous section can be regarded as two worked examples, 
of specific instances of a general construction due to Brian Day [7]. He shows 
that any (small) monoidal category (C, *, I) induces a monoidal closed structure 
on Set^ , and that when (C, *,/) is symmetric monoidal so is Set^ . This, 
combined with the standard fact that Set is bicartesian closed, yields a bi- 
cartesian dec. 

We have already seen : given functors A and B, 

{A^ B)Z = [A, B{Z * -)]. 

The formula for the tensor product is written using a coend: 

{A * B)Z = AX X BY X C[Z, X*Y], 

It is sometimes possible to give an explicit description of * without using coends, 
as we did in remarks in the previous section. The unit I of the monoidal structure 
is C[-,I]. The formulas for {A =i= B)Z and (A^= B)Z are both contravariant in 
Z^ giving the morphism parts of the functors. 
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Although the models given in the last section are instances of this struc- 
ture, their connection to the sharing interpretation does not fall out from it. 
Put another way, not all instances of Day’s construction would be consistent 
with the informal sharing reading, such as Set where the tensor in C admits 
Contraction. We wonder if there are abstract properties of C, together with an 
accompanying analysis, that could provide an axiomatic understanding of the 
essence of the “resource” aspect of a\. 

Besides giving us a host of models, Day’s construction enables us to make 
remarks about full and faithful embeddings. Faithfulness is the semantic coun- 
terpart of a syntactic conservativity result, while fullness says that adding such 
structure does not cause any new maps to added, when we focus on just ccc or 
smcc types being embedded. 

We can embed a ccc in a dec in a trivial way, by regarding it as a dec in which 
the two closed structures coincide. This implies the conservativity of the equality 
on aA-terms given by cartesian dec’s over that for simply-typed A-calculus. For 
smcc’s we refer to a result of [8], which says that the Yoneda embedding takes 
symmetric monoidal closed structure on a small category C to that structure 

pop 

just described on Set . 

These embeddings raise the question of a “purely functional” understanding 
of a A. For example, we could formulate a model consisting of (certain, [19,14]) 
functors from the category of coherence spaces and linear functions to a category 
of epo’s (with bottom) and continuous functions. This gives us a model of aA 
which, when restricted to multiplicative types, agrees with the coherence space 
model of linear logic. But for terms that mix multiplicatives and additives there 
would be strange behaviour, from the point of view of coherence spaces, as the 
examples from Section 2.4 show. So, although it is possible to define such a 
model, the proper meaning to attach to it is not clear. 

5 Interference Control and AfRne A-calcnlus 

In this and the next section we develop the affine model from Section 3.2, and 
show how the aA-calculus can be used to extend syntactic control of interference 
(SCI). We begin with an introduction to SCI, focusing on the sharing interpre- 
tation for it, and properties desired of an extension. 

The central statement of imperative programming is the assignment x := e, 
which overwrites the contents of a cell, or location, denoted by x. Imperative 
languages give rise to the phenomenon of interference [21], where executing one 
statement can affect another when they share access to the same cells. In par- 
ticular, there can be covert interference, where seemingly unrelated statements, 
such as a; := y and z := w, can affect one another; this can happen when the 
identifiers x and z are aliases (denote the same cell). 

Contraction is a source of aliasing in imperative programming. In 



{{XyXz . • • • y := 2 • ■ • if z = 3 then ■ • -)x)x 
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if X denotes a cell c, then that same cell will be passed to both x and y. A resnlt 
of this is that, in the body of the A-expression, the statement y := 2 will set 
the contents of c to 2. This, in turn, will affect the truth of the condition z = 3, 
because that condition checks the contents of cell c, to see if it is 3. 

To enable this passing of c to both y and z we have to have Contraction, 
either explicitly or as an admissible rule, in order to get two occurrences of x in 
an application {Mx)x. SCI rejects Contraction by using afhne A-calculus as its 
type system. 



5.1 Basic SCI 

We work with a version of SCI whose types are as follows. 

p ::= exp | cell | comm primitive types 
9 ::= p\9a9'\9^9' types 

The primitive type exp is the type of natural number- valued expressions, comm 
is the type of commands, and cell is the type of storage cells, or locations. 

We have used to emphasize that functions in SCI are multiplicative. 



Affine A-calculus 



X : 6 \- X : 6 



Id 



FA M -.e 
AA M -.9 



Ex (where A is a permutation of E) 



r\- M -.9' 
r,x -.9 A M -.9' 

r,x: 9 \- M : 9' 
r\- Xx : 9 .M -.9^ 9' 



W 



I 



Eh M : 9^ 9' AA N : 9 
r,Ah MN : 9' 



E 



r\- M -.9 r\- N -.9' 
Eh {M,N) : 9 A 9' 



rhM :9i A 92 

Eh-TTiM :9i 



AE (where i is I or 2) 



A typing context E here is a list of assumptions x : 9 pairing identifiers with 
types, with the proviso that no identifier appears twice. 

Selected SCI-Specific Rules 



r \- N : exp 


E h N : exp 


E h succ N : exp 


E h pred N : exp 

E h Ni : exp E h Ni : comm , i = 2, 3 


r \- Q : exp 


T h if A^i = 0 then N 2 else A 3 : comm 


x:9\- M -.9 


r, X : cell h M : cell 


h rec X . M : 9 


r h new*. M : comm 
E h M : comm E h N : comm 


E h skip : comm 


E h M\N : comm 


Eh M : cell 


E h M : cell E h N : exp 


r h IM : exp 


r h M := N : comm 
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Of these constructs, \M is the operation that reads the contents of a cell, and 
new allocates a fresh cell (which is put on the runtime stack). 



5.2 The Sharing Interpretation of SCI 

We saw above how eliminating Contraction could rule out one instance of alias- 
ing. More generally, the absence of aliasing is subsumed under the 

Disjointness Policy: distinct identifiers never interfere. 

The SCI sharing interpretation of types is as follows. 

B: functions that don’t interfere with their arguments. 

A A B: pairs that may interfere with one another. 

If we substitute “share resources” for interfere, then the reading of ^ is just 
the one we gave for the afRne case in Section 1.2. 

It is important to realize how this is an unusual reading of the afhne A- 
calculus. Often, the idea in the affine calculus is that a function uses its argument 
at most once, so that for instance in a function of type A A B ^ C either the 
A or the B component may be used, but not both. But according to SCI’s 
reading, it is perfectly reasonable for a function p of such a type to use either 
or both components of a pair (a, b) supplied to it as an argument, and either of 
these elements could be used many times. The only constraint is that p doesn’t 
interfere with (a, b). 

For example, in SCI we can write a function 

(Ac : comm A comm . ttic ; 7T2C ; ttic) : comm A comm — > comm 

that uses the first component of a pair twice and the second component once. 

The sharing reading also helps to understand the typing of if. In the number- 
of-uses reading, in if =0 then N 2 else N 3 one would expect to use one context 
for A^i, and a separate context for N 2 and N 3 . But the conditional essentially 
corresponds to a constant of type exp A comm A comm comm in SCI and 
there is no inconsistency if all the Al,’s share the same context. And in imperative 
programming this sharing is often wanted, so that information can pass from the 
condition into the branches. 

Now the affine calculus certainly does not force the sharing reading. But 
it is consistent with it. The pure affine calculus is actually too small for this 
“many uses” aspect to be seen; the additional features of SCI are where it comes 
out. The pure oA-calculus, in contrast, already admits multiplicative functions 
that use their arguments many times, as we saw in Section 2.4. This is why a\ 
is consistent with the sharing reading but not, as far as we are aware, with a 
straightforward adaptation of the number-of-uses reading. 
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5.3 A Model 

We can describe a model of SCI using the category X of finite sets and injections 
from Section 3.2. To cope with recursion, we use Predom^ in place of Set^, 
where Predom is the category of predomains (w-complete posets and continu- 
ous maps). The definition of the dec structure is as in Section 3.2, with small 
adjustments to account for order. 

For X a finite set we define 

|comm]A = SX => SX^ 

|exp]A = SX^N^ 

|cell]A = Aj. 

Here, SX = A => A is the set of states at world A, and N is the set of natural 
numbers. The action of each primitive type on morphisms / in T is defined by 
renaming cells according to /, and ignoring cells not in the range of /. 

Recursion is interpreted as follows. If |M] : |A] — > |A], then we require a 
map |reca;. M] : 1 — > A. The definition is that |recx. M\X* is the least fixed 
point of the function |M]A : AX AX. For existence, this definition requires 
the observation that each |A]A has a least element, and for naturality that all 
maps |A]/ : AX — AY are strict as well as continuous [19]. 

We will not give the detailed semantics of other terms, but we comment 
on the sense in which the semantics of faithfully reflects the sharing in- 
terpretation. Consider the type cell cell comm. Semantically, an element 
p e |cell^= cell-^< comm]{} accepts 

two worlds Y and Z, 
cells c e Y± and e e Z± 

and produces (using {} + Y + Z = Y + Z) 

p[Y]c[Z]e : S{Y + Z) ^ 5(T + Z)j_ 

It is evident from this that the arguments c and e cannot be aliases, as (presuming 
neither is T) they live in disjoint portions of the store at world Y + Z. 

This model of SCI uses the multiplicatives , I, and * (which is used to 
interpret typing contexts), along with the additive A. However, the model also 
contains the additive function type — >■, which can separately be used to model 
Idealized Algol, a language based on the simply-typed A-calculus [22,16]. This 
observation leads to the question of whether there is a semantically natural 
enveloping language, that contains both SCI and Idealized Algol. 

Before describing how the aA-calculus can be used to answer this question, 
we discuss why we might want to do so. 
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5.4 Limitations 

There are two specific cases when the disjointness policy of SCI appears overly 
restrictive [21,23]. First, notice that the rule for recursion in SCI is restricted 
so that rec x .M is a closed term. The reason for this restriction is that, if an 
assignment to a free identifier y were to occur, as in (recx. ■ ■ ■ y := e ■ ■ ■ x ■ ■ ■) , 
then y would interfere with x, violating the disjointness policy. The problem can 
also be seen with a fixed-point operator Y: an unwinding Yf F(YF) would 
violate the requirement of affine typing that the free identifiers of a function and 
argument be disjoint, unless F is closed. 

The second limitation is jumps. To see the difficulty, consider a label decla- 
ration block escape x in M. This declares a new label which, when jumped to 
from within M, results in a transfer of control to the end of the block. From the 
point of view of continuation semantics, it binds x to the current continuation, 
which is a function from states to final answers that describes computation that 
will take place after the block is finished. This means that, if the computation 
associated with the current continuation changes any storage variable then x 
will interfere with that storage variable. So, in (escape x in M); z := 4 the 
identifiers z and x interfere, if z occurs within M . Thus, from the point of view 
of continuation semantics, the escape statement violates the requirement that 
distinct identifiers never interfere (unless we put rather draconian conditions on 
identifiers appearing in or following an escape block). 

A solution is to relax the disjointness requirement of SCI by using the aA- 
calculus. A bunch F, A will indicate that identifiers appearing in F do not inter- 
fere with any identifiers in Z\, while the combination F ; A will allow interference 
to occur. Then, when a recursively defined x has an assignment to y in its body, 
the typing rule for recursion must ensure that x and y are separated by 
during the typing of the body, indicating that interference might occur . We will 
not give the solution for jumps in this preliminary paper, but the idea is simi- 
lar: when typing an escape block we require a declared label to sit in additive 
combination with other identifiers appearing freely in its body. 



6 An Enveloping Language 



The enveloping language, SCH-, uses the afhne aA-calculus as its type system. 
The primitive types are the same as those given for SCI in Section 5.1, as are 
all of the language-specific rules, with the exception of recursion. 

The SCI-I- rule for recursion allows for free identifiers, as long as they are in 
additive combination with x. 



F;x:9hM:e 
F h rec X . M : 9 



SCI+ rec 



The sense in which SCI-I- allows detection of interference is that, whenever 
we see a sequence ax Xy or Xx Xy, we know that x and y don’t interfere. So, 
non-interference can be inferred (in a fail-safe manner) from a simple inspection 
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of a context. The one difference is that in Basic SCI this determination is context 
free. It is context sensitive in SCI+ because when we see ax ay or Xxay we don’t 
know if X and y interfere or not. 

Thus, the combination of additive and multiplicative features using bunches 
gives rise to a flexible form of interference control, where it is possible to switch 
between interference and non-interference. It allows programs that violate the 
disjointness policy of SCI to be accepted in a local context, but then embedded 
in larger contexts where the policy remains in effect. An example of this is given 
at the end of the section. 



6.1 Mappings 

Idealized Algol is similar to SCI, except that it has a more general rule for recur- 
sion, and it uses the full simply-typed A-calculus as its type system. Formally, 
define lA to be the language in Section 5.1, with the addition of the two rules 

r,x:9',y:e'^M:e r,x-.6'^M-.6 

T, 2 / : 6»' h M[y/x] : 6 F h recx.M : 6 

and with the symbol replacing everywhere. 

Proposition 12. 1. SCI+ has lA as a sublanguage. That is, if 

Xi : Ai, ..., Xn ■ An \- M : B 

in lA then 

xi : Ai; ...\Xn '■ A„ h M* : B 

in SCI+, where (•)* maps X to a, and everything else (inductively) to itself. 
2. SCI+ has SCI as a sublanguage. That is, if 

Xi . Ai, ..., Xn • An F B 



in SCI then 

Xi : Ai, ..., Xn - An\- M° : B 

where (-)° maps MN to M°@N° and everything else (inductively) to itself. 

Most rules translate directly; the only exceptions are the SCI rule for recursion 
and the lA rule for new. SCI-I- has the SCI recursion as a special case, using 
r = 1 and a coherent equivalence. The lA version of new translates to 

T;x: cell h M : comm 
r h new X . M : comm 

We can derive this at once using the SCI-I- rule for new and the Conv rule of 
affine a A. 



Resource Interpretations, Bunched Implications and the aA-Calculus 277 



6.2 Semantics 

The category described in Section 5.3 can be used to interpret the types and 
the aA typing rules, and semantic valuations for all the SCI+-specific terms can 
follow the standard route taken in functor category semantics [16,19,22] . We just 
indicate the treatment of recursion. If |M] : |T] x |^]| — >■ |A], then we require 
a map [reca;. Mjj : ITjl — |AJ. The definition is that |reca;. M\Xu is the least 
fixed point of / : |^]|X => |A]X, where f = Xa . |M]X(m, a). This definition is 
tantamount to giving a fixed-point combinator of type {A ^ A) ^ A, using the 
additive function type. 

The presence of u is the difference from the SCI case. If we were to have 
attempted to parameterize the definition there, we would have had to contend 
with IT] * |A| instead of |T| X |A|. Then, for a fixed u, we could not have consid- 
ered arbitrary a e AX as arguments, because of the disjointness requirement of 
*. Furthermore, an explicit attempt to “iterate from T” to define the recursion 
would run into iterates that interfere with u which, again because of would 
disable the use of |M] to iterate further. 

Using this model, it is possible to show a sense in which lA and SCI are 
semantic sublanguages of SCI-I-, adding to Proposition 12. 



6.3 An Example 

We give an example (with sugar) that violates the disjointness policy of SCI: the 
Towers of Hanoi program, where disks are moved between pegs. 

moveone : exp exp comm 
h rec movemany . ak abc : exp 
if fc > Othen 

movemany{k — 1, a, c, &); 
moveone{a, b); 
movemany{k — 1, c, 6, a) 

: exp exp exp — exp — 5 - comm 

The procedure moveone can work by printing a message to the screen, or by 
recording a move in a global data structure. The point is that moveone and 
movemany interfere in the body of the procedure. 

To type this using the rule for recursion the crucial point is that, during the 
typing of the body, we turn interference control off by using the bunch 

moveone : exp — )■ exp — )■ comm 
; movemany : exp — exp — > exp — > exp — > comm 

which indicates that moveone and movemany might interfere. But more globally 
we can turn interference control back on. For instance, in 

moveone : exp exp comm , c : comm 
h ((rec movemany . • • -)7 1 2 3) ; c : comm 
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we will know that the two sequentially-composed commands don’t interfere. 
They could, therefore, be permuted without affecting the final result, or even 
run in parallel. 
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Abstract. This paper establishes a Curry-Howard isomorphism for com- 
pilation and program execution by showing the following facts. (1) The 
set of A -normal forms, which is often used as an intermediate language 
for compilation, corresponds to a subsystem of Kleene’s contraction-free 
variant of Gentzen’s intuitionistic sequent calculus. (2) Compiling the 
lambda terms to the set of A-normal forms corresponds to proof trans- 
formation from the natural deduction to the sequent calculus followed 
by proof normalization. (3) Execution of an A-normal form corresponds 
to a special proof reduction in the sequent calculus. Different from cut 
elimination, this process eliminates left rules by converting them to cuts 
of proofs corresponding to closed values. The evaluation of an entire 
program is the process of inductively applying this process followed by 
constructing data structures. 



1 Introduction 

Curry-Howard isomorphism [3,11] is one of most influential concepts in design 
and analysis of programming languages. It reveals the exact correspondence be- 
tween the typed lambda calculus and the natural deduction proof system: typing 
derivations correspond to proofs and P reduction corresponds to proof normaliza- 
tion. This notion is, however, not entirely appropriate for an actual programming 
language because of the apparent mismatch between /3 reduction and language 
implementation. In actual programming languages (except for some interpreted 
languages) a program is not /3 reduced but instead is compiled to a low-level 
code and then executed by an (abstract) machine. Because of this mismatch, 
the profound correspondence between /3 reduction and proof normalization does 
not have much significance in language implementation. If Curry-Howard iso- 
morphism is extended to implementation process, then research on compilation 
and implementation would be greatly benefited through high-level logical analy- 
sis made available by the extended isomorphism. This would be particularly 
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useful for recent active researches on types in compilation where compilation is 
directed by typing derivation. The goal of this paper is to establish a Curry- 
Howard isomorphism for compilation and program execution. 

There are several formalisms for compilation and program execution. Here we 
base our development on the work by Flanagan et. al. [6] for a call-by-value func- 
tional language using an intermediate language called A-normal forms, which is 
equivalent to the language obtained from CPS terms by “un-CPS” transforma- 
tion [5,19] that eliminates continuation. In this formalism, compilation is mod- 
eled by transformation from lambda terms into A-normal forms, and program 
execution is defined by an abstract machine for A-normal forms. As forcefully 
argued by Flanagan et al, compiling into A-normal forms can be regarded as 
“the essence” of compiling a functional language, and the execution model for 
A-normal forms closely reflects an actual implementation of a functional lan- 
guage using environments. They give a simple linear time compilation algorithm 
and demonstrate that it can be used as a basis for an efficient practical com- 
piler through their experimentation. Because of these facts, we also believe that 
compiling with A-normal forms can serve as an realistic model for efficient im- 
plementation of functional languages. 

Our specific goal is therefore to develop logical foundations for compiling 
the lambda terms to the set of A-normal forms and for evaluation of A-normal 
forms. We achieve this goal by establishing the following facts. 

1. A logic that corresponds to a language for mechanical execution in a conven- 
tional computer system is a Gentzen-style sequent calculus, which represents 
finer notion of computation than the natural deduction system. Instead of 
performing general substitution, it decomposes a computation on a data type 
into smaller structures by the corresponding left rule. In particular, Kleene’s 
[13] contraction-free sequent calculus, denoted here by QIC, serves as a logic 
for an implementation language. The set of A-normal forms is identified with 
a subsystem QK.A whose proofs are those of QK, in a certain normal form. 

2. A compilation algorithm from lambda terms to A-normal forms in the style of 
[6] corresponds to the composition of a proof transformation from the natural 
deduction system (denoted here by AC) to GK, and a proof normalization from 
gjc to gjcA. 

3. Execution of an A-normal form corresponds to a special proof reduction 
process in GICA. Different from cut elimination, this process eliminates left 
rules by converting them to cuts of proofs corresponding to closed values. 
The evaluation of an entire program is the process of inductively applying 
this process followed by constructing data structures. This process exactly 
corresponds to execution of a program using environments. 

These results establish a Curry-Howard isomorphism for compilation and pro- 
gram execution. The summary of the correspondence is shown in Fig. 1. 

Intuitively, an A-normal compiler performs two types of transformations; (1) 
it identifies all the redexes by naming the intermediate results of reductions, 
and (2) it flattens and linearizes redexes by extending the scope of intermediate 
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V 

Languages 



Sequent Calculus 




Fig. 1. Curry- Howard isomorphism for compilation and program execution 

bindings. As a simple example, consider the source term (/ {g x)). The first type 
of transformation converts this term into the following: 

^PP (/ (app {g x) is z in z)) is w in w 

where app {x M) is y in is our syntax in QK. for applying function x to M 
and naming the result as y in N . This is exactly the transformation of a natural 
deduction proof to a sequent calculus proof. The second type of transformation 
converts this into the following A-normal form: 

app {g x) is z in (app (/ z) is w in w) 

This process is the proof normalization from QK, to QKA. Execution of an A- 
normal form is also tightly modeled in QKA'. an operational semantics of A- 
normal forms exactly corresponds to a proof reduction in QKA. 

We believe that those logical correspondences worked out in this paper will 
contribute to design, analysis and optimization of compilation in a higher-order 
functional language. As an example of one of such benefits, A-normal compilation 
of [6] is immediately extended to products and sums by using the corresponding 
logical principles, as seen in this paper. 

Related work. Before giving the technical development, we compare the 
results presented in this paper with related works. The use of a Gentzen-style 
sequent calculus as a model of computation is not new. Abramsky [1] has given 
a term calculus for linear logic. Breaze-Tannen et. al. [2] have given a typed 
pattern calculus where the underlying logic is a sequent calculus. In [4,10] a 
sequent calculus is regarded as a model of computation. In particular, Herbelin 
[10] has argued that a sequent calculus can be a basis for computation and 
presented a term calculus. Based on a similar observation, Ogata [16] has shown 
that the term calculus presented in [4] corresponds to CPS terms under Griffin’s 
[9] interpretation of CPS terms. In a tutorial article, Gallier [7] has given a 
term calculus for a Gentzen sequent calculus and suggested that a Gentzen-style 
sequent calculus represents finer notion of computation than /3 reduction. In 
general perspective, all those term calculi have the similarity to ours in the sense 
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that they represent refined notion of computation, and they have been source 
of inspiration of the present paper. However, to the author’s knowledgement, 
the connection to compilation and execution of compiled code has not been 
investigated. 

In establishing this connection in the present paper, we use a well known re- 
sult stating that any natural deduction proof can be transformed into a proof in 
the sequent calculus. Zucker [21] and Pottinger [17] conducted extensive studies 
on the relationship between the two proof systems. As we will show, however, 
this relationship alone does not provide the desired interpretation for compilation 
and program execution, and significant new results are needed to extend Curry- 
Howard isomorphism to them. In the existing works on Gentzen’s sequent calcu- 
lus and computation, the advocated thesis is that “cut elimination corresponds 
to computation.” Our analysis shows, however, that this commonly believed 
thesis does not apply to actual implementation of a (call-by-value) functional 
language. In the usual cut elimination, cut rule is inductively moved upward to 
smaller proofs. A somewhat surprising result of our work is that program eval- 
uation in conventional implementation pushes cut downwards, and corresponds 
a quite difference proof normalization process. 

Paper Organization. Section 2 defines the typed lambda calculus. Sec- 
tion 3 defines QIC, QIC A, and a proof normalization from QIC to QIC A. Section 4 
shows that a compilation algorithm from lambda terms to A-normal forms is the 
combination of a proof transformation from the natural deduction to QIC and 
a proof normalization from QIC to QJCA. Section 5 shows that the operational 
semantics of A-normal forms is a proof reduction in QICA. Section 6 concludes 
the paper. 

Limitations of space make it difficult to cover the technical development fully; 
the author intends to present a more detailed description elsewhere. 

Acknowledgments. The author would like to thank Yasuhiko Minamide 
and Ichiro Ogata for useful discussions on A-normal forms and sequent calculi. 
He also thanks Susumu Nishimura for helpful comments on a draft of this paper. 



2 Typed Lambda Calculus 

To make the relationship to logic explicit, we use the following logical notations 
for types (ranger over by r): 

r ::= b \ tDt \ tAt j rVr 

where b stands for a given set of atomic types. A type assignment T is a function 
from a finite set of variables to types. We write {xi : t\, . . . ,Xn : t„} for the 
function that maps each a;, to (I < i < n). If / is a function, we write 
f,x : T for the function /' such that dom{f) = dom{f) U {x} and f{x) = r, 
f{y) = f{y) if 2/ 7^ 2^- set of terms is given by the following syntax: 

M \ X \ \x ■. t.M 1 M M 1 (M, M) 1 M.l 1 M.2 ] 

inl(M : t) j in2(M : t) j case M of x.M, x.M 
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stands for atomic constants of type b. x stands for a given set of variables. M.l 
and M.2 are first and second projection, respectively. inl(M : T),in 2 (M : t) 
are left and right injection to a variant, respectively. The type annotations in 
Xx : t.M, inl(M : r), and in 2 (M : t) are necessary to achieve the uniqueness 
of typing derivation (uniqueness of a term representation of a proof). In what 
follows, however, we make those type annotations implicit. 



(axiom) F : b (taut) F,x \ t x : t 
r Ml : tiDt2 F M2 : n 



(D:I) 



F,X \ T\ M ■. Tl 



(D:E) 

(A:Ei) 

(V:E) 



F Ml M2 : T 2 
F M : tiAt 2 



(A:I) 



ie{l,2} (V:Ii) 



F Xx : t.M : T1DT2 

F Ml : Tl F M2 : T 2 
F {Ml, M2) : tiAt2 

F M ■. Ti 



F M.i \ Ti ^ I ’ J >. • ^ r inz(M : T1VT2) : tiVt2 

F Ml : tiVt2 F,x\ti M2 : T3 F,y ■. T2 M3 : T3 
F case Mi of x.M2,y.M3 : T3 

Fig. 2. Typed Lambda Calculus with Products and Sums 



iG {1,2} 



The proof system for the typed lambda terms is given in Fig. 2. The following 
properties are well known as Curry-Howard isomorphism. 

— If we erase M from F M : t and replace F with the multi-set obtained 
by erasing the variables, then we obtain the natural deduction system [18] 
(with additional axioms for atomic propositions), which is denoted here 
by A/". 

— If h T M : T then the term M uniquely represents a proof of h T M : t 
in M. 

— The P reduction on lambda terms corresponds to proof normalization in A/”. 

We write A/’PT M •. t \i F M : t is provable in this proof system. Our aim 
is to extend this logical correspondence to compilation and program execution 
using a Gentzen-style sequent calculus. 



3 Intuitionistic Sequent Calculus : QK 

We choose a contraction-free variant of the Gentzen’s intuitionistic sequent calcu- 
lus due to Kleene [13, Ch.XV,§80], which is particularly suitable for establishing 
the exact correspondence between program execution and proof reduction. 

The set of types is the same as that of A/”. The set of terms is given by the 
following syntax. 

M ::= I X I Xx.M \ app (x M) is y in M | (M, M) \ proj x on (y, z) in M 
I inl(M) I in2(M) | case x of y.M, z.M \ let x = M in M 
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We have explained app (x Mi ) is y in M2 . proj x on (y, z) in M binds y 
to the first component of x, and binds z to the second component of x in M . 
case X of y.Mi, Z.M2 performs case analysis on x and if it is of the form inl(u) 
then binds x to u in Mi otherwise x is of the form in2(t;) and it binds z to u in 
M2. The proof system is given in Fig. 3. 



(axiom) F (^ \ h (taut) F,x \ t 



(D:R) 



r,X'.Tl M \ T2 



(D:L) 

(A:R) 

(A:L) 

(V:L) 

(cut) 



r Xx.M : tiDt2 

r,x : tiDt 2 Ml : Ti F,x ■. TiDr2,y : T2 M2 : T3 
r, X : tiDt2 app {x Mi) is y in M2 : T3 

r Ml : Ti r M2 : T2 / T M : T 2 



(V:Ri) 



r {Ml, M2) : riAT2 ^ ' F ini(M) : tiVt2 

F, X : tiAt2, y ■. Ti,z -.T2 M : T3 



(ie{i,2}) 



F, X : tiAt 2 proj x on {y, z) in M : T3 

F, X : riVT2, y : n Mi 1x3 F,x\ tiVt2, z : T2 M2 : T3 
F, X : Ti Vt 2 case x of y.Mi, Z.M2 ■ T3 

F Ml : Ti F,x\ti M2 : T 2 
F let X = Ml in M2 : T2 

Fig. 3. Gentzen-style Intuitionistic Sequent Calculus QIC 



For our calculus, the notion of bound and free variables are defined on both 
terms and proofs, and we can show that a-equivalence hold in this calculus. In 
the following development, we assume the “bound variable convention” , i.e. all 
bound variables are distinct and are different from any free variables. It should 
be noted, however, that a equivalence is not entirely obvious for sequent calculi. 
For example, if we adopt the Gentzen’s original proof system where each left 
rule introduces a new assumption, then some extra machinery will be needed to 
obtain a equivalence. 



3.1 A-Normal Forms and Proof Normalization 

We define a subsystem Q/CA of Q/C whose proofs correspond to the set of A- 
normal forms. We say that a premise is an argument premise if it is a premise of 
one of right rules except (D:R), or it is the left premise of (D:L) or (cut). QK.A 
is obtained from QK by distinguishing those proofs that correspond to “values” , 
and restricting argument premises to be value proofs. The set of values (ranged 
over by F) and the set of A- normal forms are given as follows. 

F ::= c'’ I X I Xx.M \ {V, V) \ inl(F) | in2(F) 

M ::= V I app (x P) is y in M | proj x on (y, z) in M | 
case X of y.M, z.M | let x = P in M 
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The proof system QKA is given in Fig. 4, where the use of a meta variable V 
indicates that it must be a value. 



Values. 

(axiom) 

(V:Ri) 

General 

(D:L) 

(A:L) 

(V:L) 

(cut) 



r c° : b (taut) F,x \ t 

r V ■. Ti 
r ini{V) : tiVt 2 

A-normal forms 



(ie{i,2}) 



(A:R) 
(D:R) 



Vi : Ti r V 2 ■ T2 
T (Vi,V2) : tiAt2 

r,X \ T\ M : T 2 



r Xx.M : tiDt 2 



r, X : riDT 2 V : Ti F,x \ T 1 DT 2 , y \ T 2 M \ T 3 
F,x\ti Dt 2 app (x V) is y in M : T 3 

F, X : tiAt 2 , y ■. Ti,z -.T 2 M \ T 3 
F, X : tiAt 2 proj x on {y, z) in M : T 3 

F, X : riVT 2 , y : n Mi : T 3 F,x\ tiVt 2 , z : T 2 M 2 : T 3 
F,x : tiVt 2 case x of y.Mi, Z.M 2 : T 3 

F V Tl F,X\Ti M ■. T 2 
F let X = V in M : T 2 

Fig. 4 . Proof system QKA for A-normal forms 



We define the set S of proof transformations from QIC to QJCA. Each trans- 
formation pushes a cut rule or a left rule appearing in an argument premise 
downward. For each of {(cut), (A:L), (A:L), (V:L)} there are 6 transformation 
rules corresponding to the 6 different argument premises. 

The sets of transformations for |(D:L), (A:L), (cut)} are similar to one an- 
other. Here we only show the two cases where (cut) appears in an argument 
premise as follows: 



Ai A 2 

{r Ml ; Tl) (r, X : Tl M2 : T2) A3 

(cut) 

r let X — Ml in M2 : T2 F M3 : T3 

r (let X — Ml in M2, M3) : T2AT3 



(A:R) 






Ai 

Ml : 

~ 



A2 A3 {x : Tl} 

{r,x : Tl M2 : T2) {r,x ; ti M3 : T3) 

Tl) r,x:Ti {M2, M3) : T2AT3 

: : (cut) 

let X — Ml in {M2, M3) : T2AT3 



(A:R) 






Ai A 2 

Ml : Tl) {r,x : Tl M2 : T2) 



r let X — Ml in M2 : T2 



(cut) 



{r,y ; T2 M3 ; T3) 



r let y — (let x — Mi in M2) in M3 : T3 






Ai 

Ml 



A2 A3 {x : Tl} 

{r,x ; Tl M2 : T2) {r,x ; Ti,y : T2 M3 : T3) 



n) 



r,x : Tl let y — M2 in M3 : T3 



r let X — Ml in let y — M2 in M3 ; T3 



(cut) 



(cut) 



(cut) 
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where is a. proof of the sequent F M : t, and Zl + {a; : r} is the 

proof obtained from the proof Z\ by adding {x : t} to the assumption of each 
sequent in Z\. 

If we project the set S of proof transformations on untyped term structures, 
then they become the following set of reduction rules. 

C[app {x Ml) is y in M2] => app {x Mi) is y in C[M2] 

C[proj 2 on (w,v) in Mi] => proj z on (w,v) in C]Mi] 

C[let X = Ml in M2] => let x = Mi in C[M2] 

C[case X of y.Mi, Z.M2] => case x of y.C[Mi],z.C]M2] 



where C[ ] denotes any one of the following contexts: 

C\ ] ([ ],M) I (M, [ ]) I inl([ ]) I in2([ ]) | app (a; [ ]) is y in M | let a; = [ ] in M 



This set of rules can be regarded as a “one-step version” of some of A-reductions 
defined in [6] . (The other A-reduction rules corresponds to proof transformation 
from M to QIC for function application. ) 

Next we consider transformations for (V:L). The structures of the transfor- 
mations are similar to the previous cases except that part of derivation is copied. 
Suppose (V:L) appears in an argument premise of a rule R. There are two types 
of transformations depending on whether i? is a right rule or not. Here we only 
show the case where where (V:L) appears in the left argument premise of (A:R). 



Ai A2 

r, X : T1VT2 case x of y.Mi,z.M2 '• T3 



(V:L) 



^3 



(A:R) 



r,x : T1VT2 ((case x of y. Mi, 2. M2), M3) : T3AT4 
Ai Az -\- {y : Ti} A2 A3 + {z : T2} 



F, X : Ti V T2 , y : Ti ( Mi , M3 ) : T3 AT4 



(A:R) 



r, X : tiVt2, z : T2 {M2, M3) : T3AT4 



(A:R) 

(V:L) 



F, X : Ti Vt2 



! X of y.(Mi, M3), 2. (M2, M3) : T3 AT4 



In this rule, the derivation A 3 is duplicated. The same phenomenon occurs in 
the transformation of a conditional statement in [6] . It is not hard to modify the 
rule for (V : L) to avoid copying a part of derivation by introducing additional 
assumption for holding the intermediate result of the case analysis. 

We write 

SC r M ^ M' : T 

if the proof of T M : t can be transformed to that of F M' : r by 
repeated application of some of the transformation rules S. Since each rule in 
iS is a valid proof transformation, it is immediate that if QIC C F M : t and 
151-1” M M' : T then Q1C h F M' : t. Moreover, we have the following. 



Theorem 1. If QIC C F M : t then there is some M' such thatS C F M 
M' : T and QK.A C F M' : r 

This is proved by a routine induction on derivation of M. By these results, A- 
normal forms can be regarded as a form of normal proofs in QIC identified by 
the subsystem QK.A. 
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This transformation is the first half of the proof normalization that corre- 
sponds to the computation of a program in a conventional implementation. A 
distinguishing property of this normalization process is that cuts are moved 
downwards in the compound proofs of products and sums, which is the oppo- 
site of the usual cut elimination procedure. As we shall show later, program 
execution does not corresponds to cut elimination either. 

Our choice of the contraction-free variant of QK, is suitable for the nor- 
malization transformation. If we adopted the original Gentzen’s sequent cal- 
culus, then additional machinery would have been needed. To see the difh- 
culty, consider the term (proj z on {x^y) in {x,y),z). This is provable in 
the Gentzen’s sequent calculus, but the corresponding proof of A-normal form 
proj z on {x,y) in {{x,y),z) is not directly provable in the subsystem corre- 
sponding to the Gentzen’s sequent calculus. 

4 A-Normal Compilation as Proof Transformation 

Our first main result is that the compilation from the set of typed lambda terms 
into the set of A-normal forms is characterized as the combination of a proof 
transformation from Af to QJC and a proof normalization from QK, to QKA. 

We first state the well known result in proof theory. 

Theorem 2 ([8,18,21,17]). There is an algorithm, denoted here byJ\fQ, that 
transforms any Af proof to a QK proof. 

The main idea behind AfQ is to decompose an elimination rule into the combi- 
nation of a left rule and a cut rule. Since this result will be used in the following 
development, we include some important cases of the algorithm AfQ in Fig. 5. 

By combining Theorem 1 and Theorem 2, we have the following. 

Corollary 3. Every proof in Af is transformed to a proof in QKA. 

Moreover, compiling a lambda term to an A-normal form is exactly this trans- 
formation, which we prove below. 

Flanagan et. al. [6] have given a linear time compilation algorithm from 
lambda terms to A-normal forms in Scheme using the two-level programming 
technique for CPS algorithms by Danvy and Fillinski [5]. To establish the desired 
result, it is essential to reason about the meta-level language as well. For this 
purpose, we re-state their algorithm using a simply typed first-order language 
for manipulating sequent proofs. To define the language, we extend the proof 
system with proof variables (ranged over by X) typed with a logical sequent 
r T. We also extend the set of terms with the same set of variables. We use a 
as a meta variable ranging over logical sequent T r regarded as a type. Let f2 
be a set of type assignment for proof variables, which is a mapping from a finite 
set of proof variables to types (logical sequents), and write {Xi : cr, . . . , A„ : (t„} 
for a type assignment that assigns to A,. Let QK{Q) be the proof system 
obtained from QK by adding E A : t as an axiom for each X : F t in 17, 
and also by adding the set of variables appearing in 17 as new term variables. 
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/ ni 1 I 2 

J^g j (r Ml : (T1DT2)) (r M2 : Ti) 

V r Ml M 2 ; T2 




{r 



J^Q{n 2 ) + {x : Ti 3x2} 

A/'^( 7 Ji) M2 : Ti) r,a: : riDT2,y : T2 y : T2 

Mj^ ; T1DT2) -r, cc : T1DT2 app (x M2) is y in y ; T2 

(cut) 

r let X — in app {x M2) is y in y ; T2 



(taut) 

(D:L) 



Hi 

j (r M : T1AT2) 



M.2 : Ti 



A:Ei 



ATa(i7i 



r,y Ti At 2 , a^i : Ti , X2 : T2 xi : ti 



(taut) 



— {r M : T1AT2) Cy • tiAt 2 pi’oj y on {xi,X2) in xi : ti 
r let y — M in proj y on {xi,X2) in xi : ti 



(A:L) 

(cut) 



(ie {1.2}) 



III II2 II3 

J\^g ( (r Ml : T1VT2) {r,xi : ti M2 : T2) {r,X2 : T2 M3 : T2) 



(V:E) 

r case Ml of xi.Mi, X2.M2 : T2 

MQ{Il2) + {y : tiVt2} MQ{n^) + {y : T1VT2} 

J\fQ{IIi) {r,y ■■ 'riWT2,xi \ Ti M2 : T2) {r,y : Ti\/r2,X2 • T2 M3 ; T3) 

{r M-^ : tiVt2) 



r,y : tiVt 2 case y of X1.M2, X2-M^ : T3 
F let y = Mj^ in case y of X1.M2, X2-M^ : T3 



(V:L) 



(cut) 



Fig. 5. Some of Proof Translation Rules form A/” to QK. 



We write QK.{fi) \- F M : t ii F M : t is provable in QJC{n). If Ai is a 
proof containing an axiom for X of type a and A 2 is a proof of type a then we 
write [A 2 / X\Ai for the proof obtained from Ai by replacing each occurrence of 
axiom for X with A 2 and the variable occurrences of X in the terms of Z\i by 
M 2 . The following substitution property holds. 

Proposition 4. 1. If Ai is a proof of (Ti in QX{f2, X : (T 2 ) cind A 2 is a proof 

of <J 2 in QX{I2) then [A 2 /X\Ai is a proof of ai in GX{f2). 

2. If GlC{f2, X : {F 2 T 2 )) P Fi Ml : ti and GX{I2) h F 2 M 2 : T 2 then 

gX{I2)hFi [M2 /X]Mi : Ti- 

The set of typings of the first-order language (whose terms are ranged over 
by D) is defined by the following rules to derive a typing of the form Q\- D : a 
denoting the fact that D is a well typed term under Q. 

-QGD-.{F t) if e/C(l7) h T D T. 

— 17 h 5X : ai.D : ai ^ a if 12 , X : ai \- D : 02 - 

— 17 h Di © D 2 : cr if 17 h Di : (Ti (T and 17 h D 2 '■ (Ji- 

The reduction relation on this language is defined by the following rule 
[dX ■ ai-Di) © T»2 ^ \D 2 IX\D 1 
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In the following we omit the type annotation in 5X : a\.D if it does not cause 
any confusion. 

It is easily seen that the reduction is confluent and terminating. We regard 
terms of this language as those modulo the equality induced by this reduction 
relation. Also, X in SX.D is a bound variable, and we regard terms module 
bound variable renaming. From this and Proposition 4, the following properties 
are immediate. 

Proposition 5. 1. If fl\~ D : a then D determines a proof of a in Q1C{I2). 

2. If 12 \~ D : ai ^ a 2 then D is a term of the form SX : a\.D' such that 
Q,X-.aihD'-. (72. 

We can therefore regard a typed term D such that 12 \- D : {F ti) ^ {F' T 2 ) 

as a “context,” i.e. a proof of F' T 2 in QK.{f2) containing a “hole” to be filled 
with a proof of F ti in QIC{f2). 

Suppose f2 \- D : a. We write S{f2) h D ==^> D' : a \i the proof determined 
by D is reduced to the one determined by D' in QK.{f2) using the set S of proof 
reduction rules defined earlier. Suppose Q \- D ■. {F n) ^ {r' T 2 ). We also 

write <S(17) h D D' : ai ^ a 2 H D = SX : ai-Dg, D' = SX : a\.Di and 
S{f2,X: (Ti) h Do £>i : (72- 

The following two lemmas can then be shown by the properties of proofs in 
QIC using Proposition 5. 

Lemma 6. If 12 \- D : {Fi ti) {F 2 T 2 ), x ^ dom{Fi) U dom[F 2 ) and 

f2 C f2' then 12' \- D : (Pi, x : T3 ti) {F 2 , x : T3 T2). 

Lemma 7. If S{f2) h D\ D'l : a ^ a' and f2 \- D 2 => D '2 : a then 
S(f2) hF>iQF>2^ D'l © F>^ : a'. 

Using this first-order language, A-normal translation algorithm is given as a 
function |_]_ that takes a terms D such that 12 \- D : Fi ti and a function 
term k such that 12 \~ k : {Fi ti) ^ (P2 72), and return a term D' such that 

f2 C D' : F 2 T 2 - For the notational reason, we give the algorithm as an algorithm 
to transformation untyped terms in Fig. 6. (Note that the first-order language 
does not contain variables of function type; k used in this definition is a meta 
variable denoting a term of the form SX.D.) It is straightforward to construct the 
complete algorithm from this description. This algorithm, when regarded as one 
on untyped lambda terms, is a generalization of the A-normalization algorithm 
given in [6] . 

Under these preparations, we can now establish the following desired result. 

Theorem 8. If Af F M : ti and 12 \- k : {F' ri) {F T 2 ) such that 
F F F' then f2 h |M]fc : F T 2 and S(f2) h k Q J\fQ{M) : (P T2). 

As a special case of Theorem 8 where k is SX.X, we have the following. 

Corollary 9. If J\f \- F M : t then QK.A h P |M]5A.A : r and S h 
P MQ{M) \M}SX.X ; r. 

This establishes that A-normal compilation corresponds to proof transformation. 
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Icife 

Ixjk 
fXx.Mjk 
I(M N)jk 
l{M,N)Jk 
IM.qk 
|ini(M)|fc 
fcase M Xx.N,\y.LJk 



kQ c 

k Q X 

kQ{Xx.lMj{SX.X)) 

|M|(5X.|Ai]((5Y’.let x = X in app (x y) is a in fc © z)) 
lMU5X.lNj{SY.kQ{X,Y))) 

|M|(dX.let a; = X in proj x on {xi, X2) in k Q Xi) 
lM\{5X.kQini{X)) 

|M|(dX.(let z = X in case 2 of a;.|[A’|fc,y.|[-^'l^)) 



Fig. 6. A- normal compilation algorithm |_]_ 



5 Program Execution as Proof Reduction 

We move to the second half of our Curry-Howard isomorphism and establish that 
the execution of the compiled program by an abstract machine corresponds to 
proof reduction process in QK.A. For the set of A-normal forms, Flanagan et.al. 
[6] have defined an abstract machine called CaEK. Here we define an equivalent 
operational semantics in the style of natural semantics [12], which makes the 
correspondence to logic more evident. The set of runtime values (ranged over 
by r) is given by the following syntax: 

r ::= | cls{E, Xx-M) \ (r, r) | inl(r) | in2(r) 

cls{E, Xx.M) is a closure representing a function, where E is & runtime environ- 
ment which is a mapping form a finite set of variables to runtime values. Fig. 7 
define the operational semantic as a set of rules to derive the relation E \- M ij, r 
indicating the fact that M is evaluated to r under E. 



Computation Rules: 

E{x) = cls{E\,Xz-M\) 'y{E,V)—r\ E\, z \ r\ h M\ T 2 E,y \ V 2 h M i}. r 

E h app {x V) is y in M il- r 

E{x) = (ci, C2) E,y ■. ri, z ■. V2 h M i}. r E{x) = inl(ri) E,y ■. ri h Mi JJ. r 

E h proj X on (j/, z) in M JJ. r F h case x of y.Mi, Z.M2 JJ- r 

E{x) = in 2 (ri) E, z : ri\- M2 JJ- r "/{E, V) = ri F, a; : ri h M JJ. r 

E h case x of y.M\, Z.M2 JJ- r Ah let x = F in M JJ. r 

Value Construction rules: 

'y{E,A)=A y{E,x) = E{x) '){E, Xx.M) = cls{E, Xx.M) 

7(A, (Fi, V 2 )) = (7(F, Fi), 7(F, V 2 )) y{E, ini{V)) = im(7(A, F)) 

Fig. 7. Operational semantics for A-normal forms 
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Lambda Derivations 
(D:R) 



r A Xx.M : tiDt 2 
Value derivations 

(axiom) F v ■. b (closure) 



(cut) 



r V Ml ■. Tl r,X Tl \ M 2 : T2 



r A let X = Ml in X2 : T 2 

r xM ■. T FV(M) ^ 0 



(A:R) 



F ^M ■. T 

Ml : Tl F V M2 : T2 , -n-x ^ v M ■. n 



(V:Ri) 



{Ml, M 2 ) ■ tiAt 2 ^ ' F „ ini(M) : tiVt 2 

Fig. 8. Runtime Value Derivations 



We show that this operational semantics corresponds to proof reduction in 
QICA. We first define a restriction of QK.A in Fig. 8 that corresponds to a set of 
runtime values defined above. In this system, a judgment of the form F yM:r 
corresponds to a runtime value, and one of the form F \ M : t is an auxiliary 
judgment used to derive a closure. If F „ M : r is derivable, then one of M is 
of the form 

let xi = Ml in . . . let in Xx.M 

By the definition of the restricted proof system, each M, is closed, and the 
order of the cuts is irrelevant. We can therefore consider the series of cuts as a 
mapping from variables to closed terms of the form {xi = Mi, ...,*„ = M„} 
and consider the term modulo the equivalence induced by reordering of cuts and 
write let {xi = Mi, ...,*„ = M„} in Xx.M . Let F be a mapping from variables 
to closed terms. We write E •. F ii dom{E) = dom{F) and for each x S dom{E), 
0 „ E{x) : F{x) is provable, li E : F, then the sequence of cuts corresponding 
to E is abbreviated as follows. 

E : Fi F2 \Fi M : T2 ^ 

F 2 let E in M : T 2 

Under this interpretation, if F y M : t is provable by the proof rules in Fig. 8 
then M is isomorphic to some runtime value r defined above, and therefore the 
typing rules can be regarded as a type system of runtime values. In what follows, 
we identify runtime values with the corresponding terms and write F ^ r : r if 
a term corresponding to r is derivable. 

Our plan now is to interpret the evaluation relation F h M JJ. r as a proof 
reduction that transforms the proof represented by let F in M to the one 
represented by r. The second major result of this paper is to establish that this 
is indeed the case, as shown in the following. 

Theorem 10. There is an algorithm taking a proof of 0 let E in M : t, 
produeing a runtime value r and a proof of 0 r : t. 

Proof ( Outline). This is proved by defining a proof reduction algorithm, denoted 
as 0 let F in M JJ. r : t, and showing its correctness. Due to the space 
limitation, we can only explain the main idea behind the proof. 
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The proof reduction algorithm first transforms a proof (represented by a 
term) of the form let i? in M to a proof of the form let E' in V . This is 
done by inductively applying the algorithm to each argument proof to obtain 
a runtime value proof, and converting left rules in M to cuts of those runtime 
value proofs. The algorithm then converts let E' in 1/ to a runtime value proof. 
The correctness of the algorithm is shown using the idea of logical relation and 
reducibility [20]. We first define a family of predicates P{t) indexed by types. 
r € P{t) if one of the following holds. 

— if r = 6 then r = c^. 

— if T = tiDt 2 then r = let E in Xx.M such that Vri G P(Ti).3r2.0 let E{x : 
ri}M in (1 T 2 : T 2 and V 2 € P(t 2 ). 

— if r = tiAt2 then r = (ri, r 2 ) such that ri G P(ti) and X2 G P{t2)- 

— if r = tiVt 2 then either r = inl(ri) such that ri G P{ti), or in2(ri) such 
that ri G P(t 2 ). 

We then show the following property 

if T y M : T and for each x G dom{E), E(x) G P{P{x)) then 0 
let E in M ij, r : r for some r such that r € P{t) 

by induction on the derivation of M . □ 

This proof reduction algorithm, when projected on untyped terms, is the the 
operational semantics for A-normal forms given in Fig. 7. We have: 

0 let £■ in M JJ- r : r 

there is some P such that E : P, P M : t, and E \- M i}. r 

A distinguishing characteristic of the algorithm is that it is not based on the 
usual cut elimination procedure. Instead of inductively eliminating cuts, it con- 
verts left rules and cut rules to those cuts whose proofs correspond to runtime 
values and keeps them until the final result is obtained. This process reveals the 
correspondence: cut rule corresponds to building (extending) a runtime environ- 
ment, and left rule corresponds to computation on a data constructor. 

6 Conclusions 

We have developed a logical foundation for compilation and program execution 
by showing that compilation of lambda terms to A-normal forms corresponds 
to a proof transformation from the natural deduction system to a Gentzen-style 
sequent calculus followed by a proof normalization in the sequent calculus, and 
that evaluation of an A-normal form corresponds to a special proof reduction 
process in the sequent calculus. These results extend Curry-Howard isomor- 
phism to compilation and program execution. There are a number of topics that 
merit further investigation. An interesting topic is to extend the formalism to 
second-order logic. Such extension wold provide a logical basis for type in compi- 
lation paradigm where a second-order type system is used to optimize programs. 
A-normal forms also appear to be related to various other computational inter- 
pretation of lambda calculi. In particular, it would be beneficial to compare 
the logical correspondence we have worked out with Moggi’s [15] computational 
lambda calculus and Kobayashi’s work on modal logic [14]. 
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Abstract. We present a system of natural deduction and associated 
term calculus for intuitionistic non-commutative linear logic (INCLL) 
as a conservative extension of intuitionistic linear logic. We prove sub- 
ject reduction and the existence of canonical forms in the implicational 
fragment. 



1 Introduction 

Intuitionistic logic captures pure functional computation in a logical way, as can 
be seen from the Curry-Howard isomorphism between constructive proofs and 
functional programs. However, there are many structural properties of programs 
that are not captured within the intuitionistic framework, such as resource usage, 
computational complexity, and sequentiality. 

Intuitionistic linear logic [Gir87,Abr93,Bar97] can be thought of as a refine- 
ment of intuitionistic logic in which resource consumption properties of functions 
can be expressed internally. Here, we refine it further to allow the expression of 
sequencing of computations. We achieve this by controlling the use of the struc- 
tural rule of exchange to arrive at intuitionistic non-commutative linear logic 
(INCLL). Much research in non-commutative linear logic has been focused on 
simply removing the exchange rule from the underlying logic and only allowing 
exchange to be used in tandem with other structural rules on modal formulas. 
As an alternative we propose a system which distinguishes among unrestricted, 
linear, and ordered hypotheses. 

Our presentation of INCLL is in the form of natural deduction with proof 
terms, thereby departing from previous formulations based on the sequent calcu- 
lus [BC91,Abr90,Rue97]. This establishes the connection to functional computa- 
tion by an extension of the Curry-Howard isomorphism. INCLL is a conservative 
extension of dual intuitionistic linear logic [Bar97] which means that we strictly 
increase its expressive power. 

We have several motivating applications for this logic, although space does 
not permit their detailed analysis in this paper. One direct application is a 

Partially supported by the National Science Foundation under grant CCR-9804014. 

Partially supported by the National Science Foundation under grant CCR-9619584. 



J.-Y. Girard (Ed.): TLCA’99, LNCS 1581, pp. 295-309, 1999. 
© Springer-Verlag Berlin Heidelberg 1999 



296 Jeff Polakow and Frank Pfenning 



logical explanation for ordering properties of terms in continuation-passing style 
investigated by Danvy and the second author in [DP95] . The ordering inherent 
in non-commutative function arguments can be used to internalize stackability 
properties of program evaluation in a fragment of INCLL, which is large enough 
to capture the case of terms resulting from the standard CPS transformation. 

Furthermore, our system integrates the Lambek calculus [Lam58] into a func- 
tional framework which also permits ordinary and linear functions in a consistent 
manner. With the coexistence of linear and ordered functions, we can logically 
describe more natural language phenomena than with either one by itself; for 
example, pied-piping and unbounded filler-gap dependencies [Par89,Hod94]. Re- 
lated approaches to similar problems from computational linguistics are pursued, 
for example, by Kurtonina and Moortgat [KM96]. 

We show that our calculus permits canonical (that is, long /Jry-normal) forms, 
which means that it is a candidate for a foundation of a logical framework and 
logic programming language along the lines of Lolli [HM94] and linear LF [CP96] . 
In related work on a sequent calculus formulation of INCLL [PP99], we have 
developed an efficient proof search mechanism suitable for logic programming 
and applied it to algorithms for natural language parsing, sorting, and execution 
of abstract machines [PP98] . 

We begin in Section 2 by introducing the implicational fragment of INCLL 
which is characterized by four implications: intuitionistic (— t), linear (— o), left 
ordered (^), and right ordered (— »). From a functional point of view, this cor- 
responds to having four different types of functions — those which have no re- 
strictions placed upon the use of their arguments; those which must use all 
their arguments once in any order; and those which which must use all of their 
arguments once in a specified order. We prove that this fragment satisfies sub- 
ject reduction thereby validating the introduction and elimination rules. Strong 
normalization and the Church-Rosser property also hold, but are elided in this 
extended abstract. 

In Section 3 we prove that every well-typed term has an equivalent canoni- 
cal form, which is important for applications to logic programming and logical 
frameworks. The proof of this property employs logical relations and we develop 
the necessary machinery of substitutions. Then we introduce further logical con- 
nectives in Section 4 which include a modal operator for mobility (i) and the 
usual connectives of linear logic. While subject reduction continues to hold, the 
existence of commutative conversions destroys the canonical form property. 

2 The Implicational Fragment 

We define intuitionistic non-commutative linear logic (INCLL) via a judgment 

r-A-n'rM-.A 

where F is a context of unrestricted hypotheses (allowing exchange, weakening, 
and contraction), Zi is a context of linear hypotheses (allowing only exchange), 
I? is a context of ordered hypotheses, M is a proof term, and A is a formula. 
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Associativity is assumed implicitly for all three contexts. In general, we use 
“formula” and “type” interchangeably, which is justified by the Curry-Howard 
isomorphism. 

If we reflect the three kinds of hypotheses as connectives in the language of 
types, we obtain the familiar intuitionistic (^) and linear (— o) implications, and 
two forms of ordered implication, depending on whether hypotheses are taken 
from the left (^) or the right (^) end of the ordered context. In the Lambek 
calculus [Lam58], the left ordered implication A ^ H is written as A\B, while 
the right ordered implication A—»Bis written as B /A. 



Types A ::= P 

I Ai ^ A2 

I Ai —o A2 
I Ai — » A2 
I Ai ) — > A2 



atomic types 
intuitionistic implication 
linear implication 
ordered right implication 
ordered left implication 



Proof terms are drawn from a A-calculus in the style of Church, that is, each 
valid term has a unique type, which seems essential for the logical framework 
applications we have in mind. We distinguish between intuitionistic (x), linear 
(y), and ordered (z) variables and write u if a variable might be declared in any 
of the three contexts. 



Terms M ::= x \ y\ z 

I Xx:A. M I Ml M 2 
I Ay: A. M | Mi^Ma 
I >^z:A. M \ Mi^ M 2 
I A'zrA. M I Mi^Ma 



variables 

intuitionistic functions (A B) 
linear functions (A -o B) 
right ordered functions (A ^ B) 
left ordered functions (A ^ B) 



Contexts P, A, and L? are simply lists of assumptions, v:A, where all variables 
V are distinct but of the same category (intuitionistic, linear, or ordered). We 
use to stand for the empty context, but we often omit it at the beginning of 
a context. We allow bound variables to be renamed tacitly. 

In order to describe the inference rules, we need some auxiliary operations on 
contexts, context concatenation fi, Q' and context merge AtxiZi'. Concatenation 
preserves the order of the assumptions, while the non-deterministic merge allows 
any interleaving of assumptions. 

When viewing a natural deduction bottom-up, we think of context concate- 
nation L?i, I ?2 as ordered context split and context merge Ai tx A 2 as context 
split. Both of these are non-deterministic when read in this way, that is, there 
may be many ways to split a context L? = L?i, L ?2 ox A = Ai cxi A 2 . 

We now present the introduction and elimination rules for each implicational 
connective in turn. Other connectives are treated in Section 4. Generally, we use 
P, A and L? to stand for contexts declaring intuitionistic, linear, and ordered 
variables, respectively. 



Intuitionistic Functions A^ B. Since neither the linear nor the ordered context 
admit weakening, the rule for unrestricted variables requires them to be empty. 
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In the introduction rule, new variables are added at the right of F, but they 
could just as well be added on the left since the intuitionistic context admits 
exchange (see Lemma 1). In the elimination rule we cannot allow the derivation 
of the minor premise to depend on linear or ordered assumptions, since the use 
of A in the proof oi A ^ B is unrestricted and subject reduction would fail. 
The intuitionistic context must be the same in both premises, which indicates 
that the rules are biased towards a bottom-up reading, where we distribute the 
hypotheses F to both premises, relying on the validity of contraction for the 
intuitionistic context. 

{F, x:A)-, A- n h M : B 

ivar yl 

{Fi,x:A, Ts); -,-hx:A T; Z\; 17 h Xx:A. M : A^ B 

F-,A;f2hM-.A^B F;-,-hN:A 



F; A; n h M N : B 

Linear Functions A —o B. The rules for linear functions exhibit the new phe- 
nomenon that the linear contexts from the premises of the elimination rules are 
interleaved to form the linear context of the conclusion, which expresses the 
linearity condition concisely. 

F-,{A,y.A)-,n\- M ■. B 

Ivar ; 

F-y.A--hy.A F; A; fl h Xy.A. M : A ^ B 

F-Ai-,n\-M-.A^B F-,A2-,-h N : A 

oE 

F-{AitxiA2);nh m'n : B 

Ordered Variables. Ordered variables must be the only ones in the hypothesis 
rule, which expresses that ordered variables must also be linear. In other words, 
order is seen as a further restriction on linearity, rather than as an independent 
property (which is also conceivable). 

ovar 

T; •; z:A \~ z : A 

Right Ordered Functions A^ B. In the introduction rule for right ordered func- 
tions the variable z must be new (by our general convention that variables in 
context are unique) and appear at the right end of the ordered context. In the 
matching elimination rule, the ordered contexts of the premises are concatenated 
in order to form the ordered context of the conclusion. The linear context is still 
interleaving, so as not to violate linearity. 

F-A-{Q,z:A) h M : B 


F;A-,n\-)^z:A. M : A^B 

F;Ai;OihM:A^B F; A 2 ; O 2 h N : A 

»E 

F- (Z\i A2)\ (Ui, Q2)\-M^N -.B 
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Left Ordered Functions B. The rules for left ordered implication are sym- 
metric to right ordered implication: the assumption z:A appears at the left end of 
the ordered context in the introduction rule, and the contexts are concatenated 
in reverse order in the elimination rule. The fact that these rules are consistent 
is demonstrated by the subject reduction theorem 1. 

r-,A;{z:A,0) h M ■. B 



T; Z\; f? h A'zrA. M : A^ B 

F-A2;02\-M:A^B F- Ai; h N : A 



F; {Ai oa A 2 ); (f?i, ^ 2 ) h N ■. B 



To give more intuition to our formulation, we now reconsider the rules as 
they would be used in the bottom-up construction of a proof. 

In the three variable rules ivar, Ivar, and ovar, the linear and ordered con- 
texts must either be empty or contain only the subject variable, while the intu- 
itionistic context is unrestricted. This forces linear and ordered assumptions to 
appear at least once in a term. 

In the —oE, -^E, and ^E rules, the linear context is split into two disjoint 
parts (when reading from the bottom up), which means that each assumption 
can be used at most once. In the -^E rules, all linear assumptions propagate to 
the left premise. These observations together show that each linear variable is 
used at most once. Since it is also used at least once by the observation made 
about the variable rules, linear assumptions occur exactly once. 

In the -^E rule, the ordered context is split in an order-preserving way, 
with the leftmost assumptions l7i going to the left premise and the rightmost 
assumptions Q 2 going to the right premise. The converse applies to the ^E rule. 
In the -^E and -^E rules the whole ordered context Q goes to the left premise. 
These observations, together with the observation on the variable rules, show 
that ordered assumptions occur exactly once and in the order they were made. 

As we will see, the emptiness restrictions on the linear and ordered contexts 
in the ^E and -^E rules are necessary to guarantee subject reduction. The 
reduction rules are simply /3-reduction for all three kinds of functions. We will 
later also consider ry-expansion. 



Reduction Rules. 

{\x:A. M)N ^ [N/x]M {Xy.A. M) N [N/y\M 

{^z-.A. M)^N ^ [N/z]M {\^z:A. Mf N [N/z\M 

In order to prove subject reduction we proceed to establish the expected 
structural properties for contexts and substitution lemmas. 
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Lemma 1 (Structural Properties). 

1. If {ri,x:A, x':A', Ps); A; 12 h M : B then {ri,x':A', x:A, Ps); A;I2hM:B. 
If (A, A); A-,f2h M :B then (A, x:A, A); A-,f2h M :B. 

3. If {ri,x:A,x':A,r2y,A-,I2\~M:B then {ri,x:A, r 2 )-, A- 12 h [x/x']M : B. 

4. If B; {Ai, y.A, y':A', A 2 ); I2h M-.B then B; {Ai, y'-.A', y.A, Zls); I2h M:B. 

Proof: By induction on the structure of the given derivations. □ 



Lemma 2 (Substitution Properties). 

B If {Bi,x:A, A); A-I2\-M:BandBi-,---hN:A 
then (A,A);^;f^l- [N/x]M:B. 

2. If B; {Ai, y.A, A 2 ); 12 ^ M : B and B; A'; ■ h N : A 
then B; {Ai, A', A 2 ); 12 h [N/y]M : B. 

3. If B-, A- {I2i, z:A, 122) \- M : B and B- A'-Q’^r N -.A 
then B-, {A cx A')-, (f?i, 12', f? 2 ) h [N/z]M : B. 

Proof: By induction over the structure of the given typing derivation for M in 
each case, using Lemma 1. □ 

Subject reduction now follows immediately. 

Theorem 1 (Subject Reduction). 

If M M' and B; A; 12 ^ M : A then B; A; 12 \- M' : A. 

Proof: For each reduction, we apply inversion to the given typing derivation 
and then use the substitution lemma 2 to obtain the typing derivation for the 
conclusion. □ 

Subject reduction demonstrates that an introduction rule immediately fol- 
lowed by an elimination rule for the same connective can be reduced. This is 
a form of a local soundness theorem expressing that the elimination rules are 
not too strong. The corresponding global soundness property states that every 
derivation can be normalized entirely. This is easy to establish via a standard 
forgetful interpretation into the simply-typed A-calculus. The normal form is 
also unique, which is a direct consequence of confluence. We will not formally 
state these theorems here, since they are besides the main interest of this paper. 
The proof of confluence is also completely standard (either developing a theory 
of residuals or using the Tait/Martin-L6f method of parallel reduction). 

Local soundness (expressed as subject reduction) guarantees that, for each 
connective, the elimination rules are not too strong. To check that they are not 
too weak, we need to show that there is a way to apply elimination rules so that 
the original judgment can be recovered by introduction rules. This property 
of local completeness is expressed on proof terms as subject expansion, where 
“expansion” refers to ? 7 -expansion. 
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Theorem 2 (Subject Expansion). 

1. If T; A; f2 \- M A ^ B then T; Z\; f? h \x:A. Mx:A^B. 

2. If r-,A;I2h M : A^B then T; Z\; f? h Xy.A. M~y :A-oB. 

3. If r-,A-,n\- M : A^ B then T; Z\; 12 h z : A^ B. 

4. If B; A; 12 \- M ■. A ^ B then T; Z\; 1? h \^z:A. z: A ^B. 

Proof: By a direct derivation in each case, nsing weakening (lemma 1(2)) 
in part 1. □ 

A corresponding global property is the existence of long normal forms. This 
is the snbject of the next section. 

3 Canonical Forms 

The existence of canonical (or long ,0?7-normal) forms is critical in logical frame- 
work applications of our calculus, since it is the canonical forms which are in 
bijective correspondence with the objects to be represented. This property is 
inherited both from the logical framework LF [HHP93] and its linear refinement 
LLF [CP96] . For the intuitionistic case, both syntactic and semantic proofs exist 
(see, for example, [Gha97]). Here we pursue a proof by logical relations, whose 
development also sheds light on the nature of substitutions in our calculus. 

We first formalize the property that a term can be converted to canonical 
form via a deductive system which can easily be related to the usual notion of 
long /3ry-normal form. This deductive system can also be read as an algorithm 
for converting a term to canonical form. 

We then prove that any well-typed term can indeed be converted to canonical 
form. Our proof will be an argument by Kripke logical relations (also called Tait’s 
method) consisting of two parts: (1) If M is a well- typed term of type A then M 
is in the logical relation represented by A, and (2) if M is in the logical relation 
represented by A then there is some canonical term N convertible to M . Our 
reduction strategy is based on weak head reduction defined below. 

, ^ whr , 

P- 

{Xx:A.M)N ^ [N/x]M 





{Xy.A.M)N ^ [N/y\M 



P^ 

{)Pz:A.MfN ^ [N/z]M 



P^ 

{)Pz:A.MfN ^ [N/z]M 



M 



M' N 



■ whr_ 



-whr. 



O 



N 



' N 



- whr^ 



302 Jeff Polakow and Frank Pfenning 



Intuitively, canonical terms are atomic terms of atomic type or A-abstractions 
of canonical terms. Atomic terms are variables or applications of atomic terms 
to canonical terms. This is formalized in the judgments F; A; f2 \- M ff M' : A, 
which denotes that M has canonical form M' at type A, and F; A; f2 \- M ], 
M' : A, which denotes that M has atomic form M' at type A. 

Atomic Types. 

F; A; h M i M' P 

- coercion 



M ^ M' 



T; A; I? h M fr M' : P 

T; A; 17 h M' fr M" : P 



■ reduction 



T; A; 17 h M fr M" : P 

Intuitionistic Functions. 

{F, x:A)-, A- n \- M X t M' : B 



-ivar 



{Fi, x:A, F 2 ); X lx : A T;A;l7hMjj' Xx:A. M' : A^ B 

F-,A-f2hMlM':A^B F-, N f N' : A 






-^E 



Linear Functions. 



F- A- f] \- M N i M' N' : B 

F- (A, y:A); 17 h M~y f M' : B 



■ Ivar 



■ —oI 



F; y.A; -hyiy.A T;A;17hMfr Xy.A. M' : A ^ B 

F-A-f2\-MlM':A^B F-, Ay, ■ ^ N N' : A 



F; (A (X] Aa)-, n h M~N I M'^N' : B 



— oE 



Ordered Functions. 



T; •; z:A \~ z I z : A 

F-A-{n,z:A) ■. B 

»I 

T; A; 17 h M fr a"z:A. M' : A^ B 

F^A^Q'r M IM’ ■. A^B F-, Ay Oa't N -i\ N’ ■. A 

T;(Atxi Aa);(17, 17a) b M iV 4 , M' iV' : B 

F; A; (z:A, 17) h z fr M' : B 


T; A; 17 h M I)- A'z:A. M' -.A^B 
F-A-n'rMlM'-.A^B T; Aa; 17a b iV fr Af' : A 
F] (A CXI Aa); (17a, 17) b Af 4 . N’ : B 



^E 



*E 
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We remark that the expected structural properties of the intuitionistic and 
linear contexts also hold for this system. Furthermore, if F; Z\; 17 h M f[- M' : A 
then F; A; f2 h M' : A and M' is in long Prj-normal form. These properties 
follow by immediate structural inductions. 

The following unary Kripke logical relation is the crux of our argument. It 
is defined by induction on the type A. Note how the structural properties of 
intuitionistic, linear, and ordered contexts are captured in this definition. 

F; Z\; f? h M e |P]] iff F; Zl h M fr iV : P for some N. 

F\ A\ Q\~ M S fAi A 2 I iff for all Fjv and N, 
if F, Fat; • h iV G |Ai] then F, Fn', A \- M N € 

F\ A\ Q\- M G |Ai — o ^ 42 ] iff for all A^ and N ^ 

if F;Z\at;- h iV G fAij then F; Zi DX zijv; I? h M~ N G [As]. 

F; A; fi \- M G |Ai — » A 2 ] iff for all A^, and N ^ 

if F ; Z\at; 17 at h g |AiJ then F] Atxi Aj^\ 17, 17 at F M N g IA 2 J . 

F; A; \- M G |Ai ^ A 2 ] iff for all A^, 17at and N, 

if F ; Aj^', 17 AT h G |AiJ then F; Zi cxi ZIat J l7Af , 17 F M IV G IA 2 J . 

We can now formally state and prove the second part of onr proof — that 
well-typed terms in the logical relation at all types have canonical forms. We 
can prove this only simultaneously with the reverse statement for terms with an 
atomic form. 

Lemma 3 (Logical Relations and Canonical Forms). 

F If F; A; 12 \- M G |A] then F; A; 12 \- M N : A for some N . 

2. If F; A; 12 \- M i N : A then F; Z\; f? F M G |A] . 

Proof: By induction on A using structural properties of contexts. □ 



Lemma 4 (Closure Under Head Expansion). 

IfM'^M' and F; Zl; 17 F M' G |A] then F; Zl; 17 F M G |A]. 

Proof: By induction on A making use of lemma 3. □ 

In order to show F; A; 12 \- M : A implies F; A; 12 \- M G |A], we need to 
explicitly manipulate substitutions. We shall define a substitntion to be a triple, 
( 7 ; (5; w), where each component is a list of term/variable pairs. 

( 7 ; w) = (•; •; •) 1 ( 7 , M/a;; S; w) \ ( 7 ; S, M/y, w) \ ( 7 ; (5; w, M/z) 

We assume no variable is defined more than once in and we write 

( 7 ;( 5 ;w)(n) = M ii M/v occurs in ( 7 ;( 5 ;w). We define well- typed substitntions 
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with the judgment F'; A'; fi' h ( 7 ; (5; w) : F; A; which means that 7 ; <5; w supply 
appropriate terms for the variables declared in 7^; Zi; J7, respectively. 



r; 

F'; A'; Q' h ( 7 ; 5] uj) :F;A;f2 F'; ■ h M : A 

F'- A'- Q' h ( 7 , M/x\ 5\ uj) : F, x-.A- A- Q 

F'; Z\'^; f2' h ( 7 ; S; lu) : F; A; f2 F'; A'^; ■ h M : A 

F';A[iXiA2;f2' h {j;S, M/y,uj) : F;A,y:A;f2 

F'- Z\'i; f2[ h ( 7 ; 5; w) : F; A; H F'- A'y, n!^ \- M : A 

F'- Z\; ex Zi^; 17^ h ( 7 ; 5; w, M/z) : T; Zi; 17, 

Note the restrictions which prohibit, for example, that the substitution term 
for a linear variable depends on an ordered variable. Such a dependence would 
falsify Theorem 5. 

When computing the result of applying a substitution to a term, we would 
like to maintain the invariant that the substitution matches the contexts in 
which the term is well-formed. This means we have to split the substitution 
at applications. Thus, we define the application of a substitution to a term as 
follows: 



[(7;J;w)]?; = 

[(7; ( 5 ; w)](Aa;:A. M) = Ax:A. [{j , x / x\ uS)\M 
[(7;<5;ta)](MiV) = ([(7;_^<5;a;)]M)([7; •; -]iV) 

[(7; < 5 ; w)] (Ay: A. M) = Xy:A. [(7; < 5 , y/y; w)]M 
[(7; cX(52;w)](M N) = {[{t, 5 i-,uj)]M) {[t,62-,-]N) 

[(7; S; uj)]{)^z:A. M) = )^z:A. [(7; 5 ; uj, z/z)]M 

[(7; dX(52;wi,W2)](M^A^) = {[{y,di;uji)]M)'^ {['y;S2;uj2\N) 

[(7; 5 ; uj)]{)\z\A. M) = )^z\A. [(7; 5 ; zj z, w)]M 

[(7;<5i cX(52;a;2,t^i)]{M‘^ Af) = ([(7; c 5 i; wi)]M)^ ([7; ^2; ^2]Af) 

At first glance the substitution splitting may seem non-deterministic. However, 
the proper split can be easily determined from the typing derivation of the term 
we substitute into. Since typing derivations are unique, there is no ambiguity. 
We rely on this in the proof of the fundamental theorem of logical relations 
(Lemma 7). 

Lemma 5 (Typing and Snbstitntions). If F; A; fi\- M : A and F'\ A'-, fi' h 
(7; 5',uj) : F-, A; n then F'; A'-, 17' h [(7; d; lo)]M : A. 



Proof: By induction on the structure of the derivation of T; Zi; 17 h M : A. □ 



Natural Deduction for Intuitionistic Non-Commutative Linear Logic 



305 



Substitutions compose in the obvious way, although we do not investigate 
properties of substitutions further here. We write idr-,A;n for the identity sub- 
stitution on the variables declared in F, A, and f2. We define logical relations 
on substitutions by induction on the structure of contexts. 

r'; A'-, fl' h (7, M/x\ 5\ uj) S ir, x:A; A; 17] iff 
F';A';f2'h(r,S;uj)€lr;A;f2]l and T'; • b M S [A] 

F'; A[tx A' 2 ; f2' h {'Y,S,M/y;S-,uj) S {F; A,y:A-, f2j iff 
F'-A[;f2'h{r,S-,uj)elF-A-nj and T'; A' ; • h M £ [A] 

F'] A[ [XI A 2 ] 17] 172 b (7; S;u), M/z) £ [F; A; 17, z:A] iff 

h (7;(5 ;w) £ |r;Z\;f7] and T'; Z\^; f7] h M £ |A| 

Lemma 6 (Identity). L; A; 17 h idr-,A-,n S [L; A; 17] 

Proof: Immediate by definition and lemma 3. □ 

Lemma 7 (Typing and Logical Relations). If F\ A\ n \- M : A then for 
any F'; A'; 17' h (7; S', tu) £ |T; A; 17] we have F'; A'; 17' h [(7; S; lu)]M £ [[A|. 

Proof: By induction on the structure of the given derivation using lemma 4. □ 

Theorem 3 (Canonical Forms). 

// T; A; 17 h M : A then for some N , F; A; f2 \- M fi : A. 

Proof: Immediate from lemmas 7, 3, and 6. □ 

4 Other Logical Connectives 

Before considering the other standard connectives from linear logic, we note 
further structural properties. 

Theorem 4 (Demotion). 

1. If F', (Ai, y.A, A2); f2 \~ M : B then {F, x:A); (Ai, A2); 17 h [x/y]M : B. 

2. If T; A; (f?i, z:A, f?2) b M : R then R; (A, y:A); (f7i, f?2) b [y/z]M : B. 

Proof: In both cases by induction on the structure of the given derivation. □ 

When considering the typing rules for the new connectives, we shall take care 
that the preceding property continues to hold. The subject reduction and strong 
normalization theorems also continue to hold, with straightforward extensions 
of the proofs mentioned in Section 2. 

Some of the new connectives, namely an ordered conjunction (•), multiplica- 
tive unit (1), disjunction (©), falsehood (0), mobility (i) and exponential (!) 
introduce commutative conversions into the proof term calculus. Unique canon- 
ical forms no longer exist, even though each connective remains locally sound 
and complete. This means that these connectives must be ruled out or restricted 
in logic programming or logical frameworks applications of INCLL. Fortunately, 
this does not seem to be a serious drawback in practice [PP98] . 
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Ordered Conjunction A» B. 

r-,Ai-Oi\-M:A r-A2;02^N:B 

•/ 

T; {Ai ex Zis); (^^l, 02)^ M»N : A»B 

r-,A2',Q2'r M ■. A»B B; Z\i; {Oi,z:A, z':B, O3) h N : C 

»E 

r ; [Ai tx Z\2); O2, O3) h let z» z' = M in N : C 

We have the following reduction rule: 

\etz»z' = M»M' in N [M/z, M'/z']N 



Multiplicative Unit 1. This is the right and left unit element for the ordered 
conjunction connective. We have 1 ^ C iff C iff 1 (7, and ^ • 1 iff ^ iff 1 • 

The introduction rule shows why there is only one multiplicative unit. 

17 

T; zds; 1^2 h M : 1 T; zdi; (l7i, ^ 3 ) h 77 : C 

IE 

r- (zditxiZ\2);(l^i,1^2,f?3) h let* = M in77 : C 

We have the following reduction rule: 

let * = * in 77 => 77 



Additive Conjunction A B. This is additive on both the linear and ordered 
contexts, in order to preserve Theorem 4. 

r-A-nv-M-.A r-A-n'rN-.B 

&7 

r-A-Q^{M,N)-.AkB 

r\A-f2'rM-.AkB r:A:Oh M : AkB 

kE ——— kE 

r-,A-m-{stM:A ^ r-,A-,0\-sndM:B ^ 

We have the following reduction rules: 

fst (M, N) M 

snd (M, 77) 77 

Additive Unit T. Because it is additive, the left and right units for k coincide. 

T7 

T; zd; 1? h ( ) : T 



Since there is no elimination rule, there are no reductions for the additive unit. 
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Disjunction ©. The disjunction is additive and therefore does not split into left 
and right versions. 

r:A:D\-M:A r-A-Q'rM-.B 

©/i ®h 

T; Z\; f? h ini® M -.A® B T; Z\; f? h inr^ M :A®B 

r-,A2-,f22\- M : A®B 
r-Ai-{Di,z:A,D3) \- N : C 
r-,Ai-, {Di,z':B,D3) \- N' : C 

®E 

r ; {Ai [XI A2); {Di, D2, D3) h caseM of inlz N \ inrz' N' : C 

We have the following reduction rules: 

case ini® M of inlz => N \ inv z' => N' [M/z]N 

caseinr"^ M' of inlz => N \ inrz' N' [M' / z'\N' 

Additive Falsehood 0. This is the unit for disjunction. 

r- z\ 2 ; H M : 0 

OE 

r ; (Z\i CXI Z\2); (1^1, 1^2, 1^3) I” abort*® M : C 

Since there is no introduction rule for 0, there are no new reductions. 

Linear Exponential I A. 

E--,-hM :A 

!7 

h !M : lA 

r- Zi 2 ; D2h M -.\A {F, x:A)- Z\i; (l7i, h iV : C* 

\E 

F ; (Z\i txi Z\2); (f^ij 1^2, 1^3) let \x = M in N : C 

We have the following reduction rule: 

let lx = IM in N [M/x]N 

Mobility Modal lA. We may also consider a modality not present in linear logic 
which allows an ordered hypothesis to be used out of order. In analogy with !, 
we wish to have \A^B = \A^B = A—oB. 

F-A--V-M-.A 

U 

F-A--\~\M-. \A 

F- Zi2; b M : F- {Ai, y.A)- (I7i, h iV : C 

\E 

F ; (Ai XI A2); {Di, ^2, D3) h let \y = M in N : C 

We have the following reduction rule: 

let \y = \M in N [M/y\N 
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5 Conclusion and Future Work 

We have presented a natural deduction version of intuitionistic non-commutative 
linear logic which conservatively extends intuitionistic linear logic. We have 
shown that the proof term calculus satisfies subject reduction and strong normal- 
ization, and that canonical forms exist for the implicational fragment. In [PP99] 
we present a sequent calculus for INCLL, prove cut-elimination and show that 
it closely corresponds to the natural deduction system presented here. 

Applications lie in the areas of logical frameworks, functional programming, 
logic programming, and natural language processing. These applications are 
sketched in the introduction and are the subject of current research. At present, 
for example, we have shown that the ordering properties of functional programs 
which result from CPS conversion discovered by Danvy [Dan94] can be cap- 
tured completely internally in the INCLL term calculus. We have also shown 
that uniform derivations are sound and complete with respect to our calculus, 
which means that the implicational fragment of INCLL can be considered an ab- 
stract logic programming language [MNPS91]. A prototype implementation using 
advanced resource management strategies analogous to Lolli [Hod94] has been 
used for the concise expression of various algorithms for sorting, natural language 
parsing, and the execution of abstract machines. The systems and examples may 
be found in [PP98] . 

We have also given an operational semantics to an extension of the functional 
core presented here and are investigating the connection between stackability of 
intermediate values and ordered function arguments. 
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Abstract. The second-order lambda calculus allows an elegant formal- 
isation of abstract data types (ADT’s) using existential types. Plotkin 
and Abadi’s logic for parametricity [PA93] then provides the useful proof 
principle of simulationiox ADT’s, which can be used to show equivalence 
of data representations. However, we show that this logic is not sufficient 
for reasoning about specifications of ADT’s, and we present an exten- 
sion of the logic that does provide the proof principles for ADT’s that 
we want. 



1 Introduction 

The second-order lambda calculus allows an elegant formalisation of abstract 
data types (ADT’s), as shown in [MP88], using existential types. This descrip- 
tion of ADT’s provides a useful basis to investigate properties of ADT’s. In 
particular, it has been successfully used to investigate a notion of equivalence of 
implementations of ADT’s. [Mit91] considers a semantic notion of equivalence 
of data representations, which suggests a method for proving the equivalence of 
data representations, namely by showing that there exists a simulation relation 
between the representations. We will refer to this proof principle as simulation. 
Plotkin and Abadi’s logic for parametricity [PA93] is a logic for reasoning about 
the second order lambda calculus (system F). It formalises the notion of para- 
metricity, and for the existential types this logic does indeed provide the proof 
principle of simulation envisaged in [Mit91]. 

Unfortunately, it turns out that this proof principle of simulation for existen- 
tial types is not enough for reasoning about specifications of ADT’s, in particular 
specifications that use equality. We propose an extension of the logic of [PA93] 
(with axioms stating the existence of quotients, to be precise) that does provide 
all the proof principles one would like for reasoning about ADT’s. The same PER 
model used in [PA93] as a semantics for their logic immediately justifies these 
additional axioms. (Indeed, in the PER model all types are “quotient types”.) 

The remainder of this introduction discusses one of the proof principles we 
want for ADT’s. It is a very natural one, that immediately arises whenever an 
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implementation of an ADT allows different concrete representations of the same 
abstract value. This example will be treated in more detail later in Section 4. 

Suppose we implement an ADT for bags using lists to represents bags. Then 
there will be many different lists that represent the same bag: any two lists that 
are permutations represent the same bag. As a consequence, there are different 
notions of equality in play: equality of lists, equality of bags, and the relation 
'^perm On lists that relates lists representing the same bag (i.e. that are per- 
mutations). A programmer implementing an ADT has to be aware of the fact 
that there are these different notions of eqnality. But a programmer using an 
ADT should only have to deal with equality of bags, and not have to know any- 
thing about an underlying relation '^perm on lists. Indeed, this is precisely the 
abstraction that an abstract data type is supposed to provide. A consequence of 
all is that the programmer implementing an ADT and the programmer using 
an ADT may want to use a slightly different specification: the former in terms 
of the relation '^perm on the concrete data type of lists, the latter in terms of 
equality on the abstract data type of bags. For instance, the programmer using 
the ADT might require that 

Vm, n : Nat, s : Bag. add{m, add(n, s)) = add{n, add{m, s)) (i) 

and to meet this specification, the programmer implementing the ADT must 
ensure that 

Vm, n : Nat, s : List. cons{m, cons(n, s)) '^perm cons(n, cons{m, s)) (ii) 

if add is implemented as cons. In a logic for reasoning with (specifications of) 
ADT’s we should be able to relate statements such as (i) and (ii). In particular, 
here one would want to be able to prove that (ii) implies (i). We will refer to a 
proof principle that would allow us to deduce (i) from (ii) as abstraction. 

The logic for parametricity of [PA93] does not quite provide this proof princi- 
ple of abstraction for arbitrary ADT’s and specifications. But extending the logic 
with axioms stating the existence of quotients solves this problem: we will show 
that then the proof principle of abstraction can be obtained from the proof prin- 
ciple of simulation, which is provided by the logic for parametricity of [PA93]. 
(For this particular example, we would want the existence of lists quotiented 

^perm-) 

The organisation of this paper is as follows. Section 2 defines our notation for 
the second-order lambda calculus and gives a quick recap on how existential types 
can be used for ADT’s. Section 3 discusses the logic for parametricity of [Tak97], 
which is a slightly different formulation of the logic as first introdnced in [PA93] ; 
in particular, we discuss the proof principle of simulation for proving equivalence 
of data representations that this logic provides. Section 4 then considers a simple 
example of a specification of an ADT for bags and illnstrates the problem with 
reasoning about ADT’s hinted at above. Section 5 then present our extension of 
the logic that does provide the power we want. 
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2 The second-order lambda calculus 

We first give the definition of the second-order lambda calculus, and then illus- 
trate how the existential types can be used for ADT’s. 

The terms t and types T of the second-order lambda calculus are given by 

t ::= X I Xx:T. t | ft | {t, t) \ t.i \ XX. t \ tT \ pack {T, t) to T | open t as {T, t) in t 
T ::= X \ T xT \ T ^T\\fX.T \ 3 X.T 

Here x ranges over term-variables, X over type-variables. Free and bound vari- 
ables are defined as usual. Terms and types equal up to the names of bound 
variables and permutation of fields are identified. 

We use the following convention for our meta- variables: x,y, z range over 
term variables, X, Y, Z range over type variables, a, b, c, / range over terms (or 
programs), A, B, C range over types. 

We include products and existentials as primitives here because they play an 
important role later, but of course they can be regarded as syntactic sugar for 
their usual encodings. (In fact, we will not even need the universal types in this 
paper.) Later on we will also use some base types, namely a type Nat of natural 
numbers and a type List of lists of natural numbers. These can be encoded in 
the usual way, too. 

The typing rules for judgements of the form F \- t :T, where T is a sequence 
of declarations x\ : Ti, ... ,Xn '■ Tn, are 

r,x : A, r' X : A 

r,x:A^b:B Tha:A 

r h Xx:A. b-.A^B F'r fa: B 

r \- a\ : A\ r \- a2 : A2 F \- a : A\ x A2 

i = l ,2 

F h (oi, 02) : Ai X A2 F h a.i : Ai 

F^b:B Fhf-.'iX.B 

X not free in F 

F^ XX.b-.yX.B rh f A: B[A/X] 

The: A[CIX] 

X not free in F 

F h (pack {C, c) to 3 A. A) : 3 A. A 

F,x: Ah b: B Fh s : 3 X. A 

X not free in B or F 

F h (open s as {X, x) \nb) \ B 

The reduction rules are {Xx:A. b)a ]>g b[a/x], (AA. a) A ]>p a[A/X], 

(oi, 02).i l>/3 ai, and open (pack {C, c) to 3 X. A) as {X, x) in b l>/s b[C/X, c/x]. 

Notation. The notation for pairs is extended to n-tuples, which are simply 
nested pairs. E.g. we write A x B x C for A x {B x C) and (a, b, c) for (a, {h, c)). 
We typically omit the second type parameter of pack, writing pack {C, a) for 
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(pack (C, a) to 3X. A), whenever this type is clear from the context. Finally, we 
will sometimes use a “pattern-matching” style notation for tuples, e.g. writing 
\{y, z):A X B.c instead of Xx:A x B. c[xA/y, x.2jz\. 

Abstract Data Types as Existential Types 

Existential types allow an elegant formalisation of abstract data types (ADT’s), 
as shown in [MP88]. This formalisation provides a clean separation between 
using an ADT on the one hand and implementing an ADT on the other hand. 
Moreover, as is often the case with descriptions of notions from programming 
languages in terms of typed lambda calculus, this formalisation provides a more 
powerful notion than exists in most existing programming languages: existential 
types provide implementations of ADT’s as “first-class citizens”, i.e. as values 
that can be passed as parameters to functions or returned as results like any 
other value. This also means that we can talk about equality of implementations 
of ADT’s just like we can talk about equality of other values. (This will be useful 
later, in Section 3, when we consider proof rules for ADT’s.) 

The remainder of this section briefly explains the use of existential types for 
ADT’s (for a more extensive discussion see [MP88]), and introduces our running 
example of bags. 

Our running example will be an ADT of bags, which provides a type Bag 
with three operations: the operation of adding an element to a bag, an operation 
to inspect how often a given element occurs in a bag, and the empty bag: 

empty : Bag, 

add : Nat x Bag Bag, 
card : Nat x Bag ^ Nat. 

Tupling the three operations yields 

{empty, add, card) : Bag x {Nat x Bag Bag) x {Nat x Bag Nat), 

so the signature of the ADT can be given as 

BagSig{X) = X x {Nat x X ^ X) x {Nat xX ^ Nat). 

The existential type Bagimp, Baglmp= 3X. BagSig{X), can be used as type of 
implementations of the ADT of bags, as we will now explain. 

To implement the ADT of bags, we have to come up with some type Rep 
which will be used as representations of bags, and a 3-tuple of functions of 
type BagSig{Rep) that implement the bag-operations for this representation. 
An obvious way to represent bags is to use lists. In this case empty can be 
implemented as the empty list nil : List, add as the operation cons : Nat x List — >■ 
List on lists, and card as a function count : Nat x List List that counts how 
often a given natural number occurs in a given list of natural numbers. These 
three operations have the right types, since 



{nil, cons, count) : BagSig{List). 
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The introduction rule for existential types can be used to construct an element 
of type Bagimp from the type List and the triple {nil, cons, count): 

imp! = (pack {List, {nil, cons, count)) to Bagimp) : Bagimp. 

Now suppose we want to define some program b that uses the ADT of bags. 
Then in b we want to use the abstract operations empty, add, and card, and b 
has to be well-typed under the assumption that these three abstract operations 
have their correct types: 

empty : Bag, add : Nat X Bag Bag, card : Nat x Bag — >■ Nat \- b : B 

Here Bag is a type variable. The elimination rule for existential types tells us 
how to combine this program b with the implementation impl : Bagimp defined 
above: 

open impl as {Bag, {empty, add, card)) \nb : B 
It is easy to verify that this program behaves as expected: 

open impl as {Bag, {empty, add, card)) in b 

b[List/ Bag, nil/ empty, cons/ add, count/ card). 

So the concrete representation List gets substituted for the abstract type Bag, 
and the concrete implementations of the operations on List's get substituted for 
the abstract operations on Bag's. 

The typing rules play a crucial role in hiding the concrete implementation of 
the ADT (using List's) from the main program b. It is not possible to apply list 
operations to bags in b, because this would not be well-typed. The program b 
has to be typed under the assumptions that 

empty : Bag, add : Nat x Bag — ^ Bag, card : Nat x Bag — >■ Nat, 

where Bag is a type variable. 

3 The logic for parametricity 

Plotkin and Ababi’s logic for parametric polymorphism [PA93] is a logic for 
reasoning about the second-order lambda calculus that exploits the notion of 
parametricity. We will use the somewhat different presentation of the logic given 
by Takeuti [Tak97] . 

We only describe the fragment of the logic that is of interest to us. This 
makes the description much simpler and this paper much easier to digest. (In 
particular, Definition 3 only deals with the type constructors — >■ and x, not V 
and 3 - which are more complex - and considers the parametricity property 
only for existential types 3X. T where T is a “first-order” signature built using 
X and The small price we pay for this is that we can only consider ADT’s 
with such signatures, but this covers most examples.) 

Takeuti defines the logic for parametricity in two stages: first a base logic L 
which provides the standard logical connectives and their rules, and then a logic 
Par which extends L with axioms expressing parametricity. 
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3.1 The base logic L 

L is a second-order predicate logic over the second-order lambda calculus, i.e. 
it provides predicates on the types of the second-order lambda calculus. L is a 
typed logic, with predicates - and also propositions - having types. The type of 
propositions is denoted by *p. Predicates can be viewed as functions that return 
propositions, so T ^ *p is the type of predicates over type T. Relations are 
binary predicates, so T — 1 T ^ *p is the type of binary predicates - or relations 
- on T. So the types of propositions and predicates are given by 

IP ::= *p I T — y IP. 

The propositions and predicates are given by 

P::=P^Q\ \/x:T. P\yX.P\ VP:1P. Q \ Xx:T. P \ P t. 

The first four constructions provide ways to built propositions: namely implica- 
tion P ^ Q, and three kinds of universal quantification, universal quantifica- 
tion over all elements of a type 'ix:T.P, universal quantification over all types 
WX. P, and (second-order) universal quantification over propositions and predi- 
cates MP-.IP. Q. The last two constructs allow the definition of predicates \x\T. P 
and the application of predicates to terms P t. 

Judgements in the logic L are of the form P, A \- P where T is a sequence 
of declarations xi : Ti, . . . , Xn '■ T„ as before, Z\ is a sequence of assumptions 
Pi, , Pm, and P is a proposition. We have the standard structural rules, and 
the standard elimination and introduction for the logical connective and the 
quantifiers V (for details see [Tak97]). 

The second-order universal quantification over propositions and predicates 
enables the definition of the logical connectives V, A and 3 in the usual way. It 
also enables Leibniz’ equality for datatypes T to be defined in the standard way: 

Definition 1 (Leibniz’ equality). For any type T, Leibniz’ equality of type 
T, =T'. T ^ T ^ *p, is defined by 

=T = \x, y.T. VP:(T ^ *p). (Px) => (Py). 

The subscript of =t will sometimes be omitted when it is clear from the context. 
Leibniz’ equality will be written infix. Other relations will sometimes also be 
written infix, and sometimes “postfix”, i.e. (^ 1 ,^ 2 ) G P for Pt\t 2 . □ 



Remark 1. For readers familiar with Pure Type Systems (PTS’s) [Bar92], we 
note that the logic L of Takeuti can be concisely described as a PTS, namely 
the PTS (S, A, R) with S = {*«, □«, *p, Dp}, A = {(*s : D^) , {*p : Dp)} and 

R = { (l^s, *s), (*s, *s), 

(*S) ^p); 

(P's; *p)i (*S) *p)i (l^p; *p)i {*pi *p)} 
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Here *s is the type of all datatypes, just like *p is the type of all propositions. 
The fact that L is a PTS is the main reason why we chose Takeuti’s presentation 
of the logic rather than Plotkin & Abadi’s; it enabled us to verify some examples 
using the theorem prover Yarrow [Zwa97] which implements arbitrary PTS’s. 

L is a subsystem of the logic \ijJl introduced in [Pol94] as a logic for reasoning 
about the higher-order typed lambda calculus (system P“). \ijJl includes a few 
more PTS rules, so that it includes the higher-order rather than the second 
order lambda calculus as “programming language” and allows more powerful 
abstractions in the logic (such as polymorphic predicates) . □ 

3.2 The logic for parametricity 

The logic Par extends L with an axiom for every type T which states that 
all elements of T satisfy a certain parametricity property. Since we are only 
interested in certain properties of existential types in Par - viz. the simulation 
principles - we simply introduce these properties as axioms here. 

First, the constructions and x for building types have to be “lifted” to 
constructions for building relations on types. 

Definition 2. Let R\ and be relations (i.e. binary predicates), with Ri : 
Ai ^ ^ Then the relations Ri ^ R2 : {A\ A2) (A( A!^) 

and Ri X R2 '■ {A\ x A2) ^ (A( x A2) are defined as follows 

f{Ri i?2)/' = Vx : Ai,x' : A[. xRix' => (/x)i?2 (/'*') 
f{R,xR 2 )f = (/.l)i?i(/M)A(/. 2 )i? 2 (/'. 2 ) 

Now we lift the type expressions A{X) to relations: 

Definition 3. Let A{X) be a type expression built using and x from X and 
closed type expressions. We write A{B) for A[B/ X]. 

For any relation Hi ^ H2 — > *p the relation A(~) : A{Bi) A{B2) — > *p 

is defined by induction on the structure of A, as follows: 

AH = AH) ^ M-) , if MX) = A,{X) ^ MX) 

AH = AH) X MH , if MX) = AH) X M(X) 

AH = - ,zfA{X)=X 

MM = =C ; otherwise, i.e. A{X) = C and X ^ FV{C) 

In the right-hand sides and x denote the construction on relations defined in 
Definition 2 , and =c is Leibniz’ equality as defined in Definition 1 . □ 

As an example, consider the interface of the ADT for bags. Suppose ~ : Hi 
H2 *p. Then BagSig{'^) : BagSig{Bi) BagSig{B2) *p is the following 
relation on 3-tuples: 

((1, addi, cardi), (2, add2, card2)) € BagSig[^) 

1 empty2 A 

Vn : Nat, 61 : Hi, 62 : H2. 61 ~ 62 => addi{n, bi) add2{n, 62) A 
Vn : Nat, 61 : Hi, 62 : H2. 61 62 => cardi{n, bi) =Nat cardafn, 62) 
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Definition 4 (Par). The logic Par is the extension o/L with the axioms 



Vui,U2-3X.A{X). 

Ui = U2 

\ y (3A^i, X2' 3xi'.A(^Xi), x2'A(X2)' 3 — y X 2 — 1 *p. 

Ml = pack {Xi,xi) Au2 = pack (X2, X2) A (xi, 0:2) £ M'^)) 

for all type expressions A{X) built using -A and x from X and closed type 
expressions. □ 

This axiom allows us to prove equivalence of different implementations of an 
ADT by showing there exists a simulation relation between them. We will 
refer to this proof principle as simulation. 



Example: Eqnality of bag implementations. 

We briefly illustrate how we can prove equivalence of different data representa- 
tions in Par. 

Recall the implementation impl : Bagimp. Now consider another implemen- 
tation of the ADT for bags, where we implement the add-operation not as the 
coMs-operation on Lisfs, but as the snoc-operation on List's, which adds a ele- 
ment to the end rather than the front of a list: 

imp2 = pack {List, {nil, snoc, count)) : Bagimp. 

Intuitively, this should not make any difference, because the order of the list 
representing a bag is irrelevant. In Par we can prove impl = Bagimp imp2, 
namely by proving {{nil, cons, count), {nil, snoc, count)) £ BagSig{^perm), where 
'^perm '■ List List — > *p relates all lists that are permutations. 

Of course, impl and imp2 use the same datatype to represent bags. But we 
can also prove equivalence of implementations that use different representation 
types. For example, consider the implementation imp3 below, which represents 
bags as functions of type Nat Nat: 

imp3 = pack {Nat Nat, {constg, addimp, app)) : Bagimp 



where 



consto = Xn:Nat. 0 

addimp = A(n, f):{Nat x {Nat Nat)). \m:Nat. 

app = X{n, f):{Nat x {Nat Nat)), fn 



1 + {f m) ii m = n 
f m otherwise 



The principle of simulation can be used to prove impl =jjdgPjjip imp3, namely 
by showing that {{nil, cons, count), {consto, addimp, app)) £ BagSig{^), where 
List -A {Nat -A Nat) *p relates I : List and / : Nat Nat iff Vn. fn = 
count{n, 1). 
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4 Insufficiency of Par 

We will show that the principle of simulation that Par provides is not sufficient 
for reasoning over ADT’s. To illustrate this, we consider a specification for the 
ADT of bags. 

Naive Specification 

A possible specification for the operations empty, add, and card could be: 

Mn : Nat. card{n, empty) =Nat 0 A 
Vm : Nat, s : Bag. card{m, add(m, s)) =Nat 1 + card{m, s) A 
Vm, n : Nat, s : Bag. m j^Nat n ^ card(m, add(n, s)) =Nat card(m, s) A 
Vm, n : Nat, s : Bag. add{m, add{n, s)) =Bag add{n, add{m, s)) 

We will consider a simple specification Spec giving only the last conjunct. This 
is the most interesting part of the specification, as it uses equality of bags. For 
any type Bag and any triple {empty, add, card) : BagSig(Bag) we define 

Spec{Bag, {empty, add, card)) 

= Vm, n : Nat, s : Bag. add{m, add{n, s)) =Bag add{n, add{m, s)). 

Spec can be turned into a predicate on Bagimp as follows 
Spc(^ : Bagimp *p 

= Ximp:BagImp. 3Rep, ops. imp =Bagimp pack {Rep, ops) A Spec{Rep, ops) 

Note that here Spec{Rep, ops) uses Leibniz’ equality on type Rep, i.e. =Rep. 
Clearly 

Spec{Rep, ops) => Spec^{pack {Rep, ops)). 

(But beware that the reverse implication does not always hold. In fact, this would 
be inconsistent with parametricity, following the example given in Remark 3.) 

Remark 2. It is tempting to extend the “open as ( ) in ” construction that 
we have for programs to predicates, c.f. the inductive types proposed in [CP90]. 
This so-called “strong” elimination principle is included in Coq [PM93] . It would 
mean having the rule 

r,x: AV P BV s:3X. A 

A V FV(T) 

r h (open s as {X, x) in P) : *p 

With this rule the specification Spec could be turned into a predicate on Bagimp 
in a much more direct way: 

Spec^{imp) = open imp as {Bag, ops) \n Spec{Bag, ops) 

and Spec? {pack {List, {nil, cons, count))) would then simply ,d-reduce to 
Spec{List, {nil, cons, count)), so these two propositions would be equivalent. Un- 
fortunately, this is inconsistent with parametricity, as shown in Remark 3. □ 
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The problem with the naive specification 

The specification Spec^ might be what the user of the ADT wants, but it may 
be a problem for the implementor of the ADT to meet this specification. As an 
example we take the implementation imp!, 

impl = pack {List, {nil, cons, count)) : Bagimp, 

and consider the following question: Can we prove Spec^ {impl)'! 

We could prove Spec^{impl) by proving Spec{List, {nil, cons, count)), i.e. by 
proving 

Vm, n : Nat, s : List. cons{m, cons{n, s)) =List cons{n, cons{m, s)). 

But this is clearly not true! Note that the proposition above uses Leibniz’ equality 
of lists, =List, since Spec uses Leibniz’ equality. The equality above makes sense 
for bags, but not for lists. We could only prove the proposition above for a weaker 
notion of equality for lists than =List, e.g. '^perm- 

We now discuss two ways to solve (or avoid) the problem above. Neither of 
these is really acceptable, which is why we then propose an extension of the logic 
Par to solve the problem in a more satisfactory way. 



Solution 1: Finding another implementation 

Recall that by the definition of Spec^ 

Spec^{impl) <;=> 3Rep, ops. impl =Bagimp pack {Rep, ops) A Spec{Rep, ops). 

So we can prove Spec^{impl) by finding another implementation pack {Rep, ops) 
of the ADT such that impl = Bagimp pack {Rep, ops) for which we can prove 
Spec{Rep, ops). 

It turns out that such an implementation exists, namely the implementation 
which represents bags as sorted lists. Let 

impsort = pack {List, {nil, insert, count)), 

where insert : Nat x List List inserts a natural number in a list and returns 
the list sorted. For this implementation we can prove it meets Spec, since 

Vm, n : Nat, s : List. insert{m, insert{n, s)) =List insert{n, insert{m, s)). (i) 

The reason we can prove Spec for this implementation is due to the fact that for 
this particular representation - bags are represented as sorted lists - equality of 
the concrete representation type, i.e. equality of lists, coincides with equality of 
the abstract type, i.e. equality of bags. 

Using parametricity we can prove 



impl — Bagimp Bl^Psorti (h) 
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namely by showing that '^perm is a simulation relation between the two imple- 
mentations. Now Spec^{impl) follows from (i) -i.e. Spec{List, {nil, insert, count)) 
- and (ii). 

There are obvious drawbacks to this way of proving Spec^{impl). Firstly, 
it is not acceptable that to prove correctness of our original implementation 
impl we have to come up with a second implementation imp sort- Moreover, it 
may not always be possible to find a second implementation that does meet the 
specification, i.e. for which concrete and abstract equality coincide! For example, 
for a generic datatype Bag{X) of bags over an arbitrary type X we would have 
a problem; there is no way to extend the implementation using sorted lists of 
natural numbers to lists of an arbitrary type, since there is no generic sorting 
algorithm for arbitrary types. 

Remark 3. We can use imp sort to show the inconsistency of the elimination 
scheme discussed in Remark 2. If Spec^ were defined with this scheme, then 
Spec^(pack {Rep, ops)) would be /3-equivalent with Spec{Rep,ops), so then 

Spe(^{impl) <;=^ Spec{List, {nil, cons, count)) 

Spec^ {imp sort) Spec{List, {nil, insert, count)) 

But Spec{List, {nil, cons, count)) is false, (because cons is not “commutative”), 
whereas Spec{List, {nil, insert, count)) is true, (because insert is “commutative”). 
And by parametricity impl = impsort, so Spec^{impl) <;=> Spec^ {imp sort), and 
we have a contradiction. □ 



Solution 2: Using a weaker specification 

The best we could prove for impl is that 

Vm, n : Nat, s : List. cons{m, cons{n, s)) '^perm cons{n, cons{m, s)). 

Note that '^perm is a bisimulation for the implementation, i.e. 

{{nil, cons, count), {nil, cons, count)) € BagSig{^perm), (*) 

since nil '^perm nil, Vn : Nat, I, I' : List. I ^perm I' ^ cons{n, 1) '^perm cons{n, I'), 
and Vn : Nat, 1,1' : List. I ^perm I' ^ count{n,l) =Nat count{n,l'). Intuitively, 
(“I") says that lists in the relation '^perm cannot be distinguished using the bag- 
operations, so that lists in the relation '^perm represent the same bag. With this 
in mind, one could propose a weaker specification for bags. First, we abstract 
the specification Spec over a notion of equality for bags, to get the following 
“generic” specification GenSpec: 

GenSpec{Bag, {empty, add, card), ^^) 

A Vm, n : Nat, s : Bag. add{m, add{n, s)) add{n, add{m, s)). 

(So Spec{Bag, ops) = GenSpec{Bag, ops, =Bag)-) 
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We can now consider the following weaker specification 

WeakSpec{Bag, ops) 

= 3 ~ : Bag Bag *p. 

GenSpec{Bag, ops, '^) A {ops, ops) € BagSig{'^) A Eguiv{^), 

where Equiv{'^) says that ~ is an equivalence relation. 

Turning WeakSpec into a predicate WeakSpec^ on Bagimp we get 

WeakSpec^ : Bagimp *p 
= Ximp'.BagImp. 

3Rep, ops. imp =Bagimp (pack {Rep, ops)) A WeakSpec{Rep, ops). 

The implementor of the ADT will be happy with this weaker specification, as it 
is possible to prove WeakSpec^ {impl) , simply by proving 
WeakSpec{List, {nil, cons, count)), taking ^perm for 

The user of the ADT on the other hand will be less happy with WeakSpec^ : 
rather than using the standard Leibniz’ equality of bags, the user has to reason 
about bags using some bisimulation ~ as notion of equality for bags. This seems 
an unnecessary complication: there is no reason why the user shouldn’t use 
Leibniz’ equality instead of ~. Indeed, this is precisely the abstraction that the 
abstract data type is supposed to provide. 

5 Our Solution: Extending the logic 

Given that the two solutions discussed above are not really satisfactory, we now 
consider an extension of the logic Par that provides a satisfactory solution of 
the problem. 

What we really want is a way to relate the two specifications, WeakSpec^ 
and Spec^ , by proving 

Vimp : Bagimp. WeakSpec^ {imp) Spec^{imp). (>i=) 

Then the implementor of the ADT would only have to establish WeakSpec^ - 
i.e. prove the specification up to some bisimulation - and the user of the ADT 
could assume the stronger specification Spec^ - i.e. assume the specification with 
(Leibniz’) equality -. Intuitively the property (*) seems OK. (Indeed, it is true 
in the PER model.) 

It turns out that if we have quotient types then (*) could be proved. Quotient 
types are available in some type theories, e.g. Nuprl [Con86], and have been 
proposed as extensions of other type theories, see e.g. [Hof95] [BG96]. 

We will first give the general idea of how quotient types could be used to 
prove the property above. Suppose WeakSpec^ {imp), i.e. 



GcnSpec{Rep, ops, ~) A {ops, ops) £ BagSig{'^) A Equiv{'^) 
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for some pack {Rep, ops) =Bagimp i'mp and some The trick to proving (*) is 
to consider the quotient type Rep/'^, i.e. the type with ^^-equivalence classes of 
Rep as elements. 

{ops, ops) € BagSig{^) 

says that ops respects ^-equivalence classes, so ops induces a related function 
ops/'^ on ^-equivalence classes, opsj'^ : BagSig{Rep / . And by the principle 
of simulation it follows that 

pack {Rep, ops) = pack {Rep/'^,ops/'^). 

The interesting thing about ops/ is that is satisfies the specification up to 
Leibniz’ equality: it follows from GenSpec{Rep, ops, ~) that 

GenSpec{Rep/^, ops/r^, =Rep/^), 

i.e. Spec{Rep/'^, ops/'^) ! 

Note that the argument above goes along the lines as indicated in Solution 1. 
But the use of quotient types means that the additional work of finding another 
implementation of ADT is avoided, as this implementation is constructed as a 
quotient. (So we avoid the drawbacks mentioned on page 320.) 

We could consider adding quotient types to the syntax of the second-order 
lambda calculus. But we do not actually have to do this: it suffices if we add 
axioms to the logic stating that quotients exist: 

Definitions (ParQuot). The logic ParQuot is the extension of 'Par with 
the axioms 

VA. V A ^ A ^ *p. 

Equiv{r^) => 

3Q. MopsX : A{X). {opsX, opsX) € A('^) => 

3opsQ:A(Q). isQuot(X, opsX, Q, opsQ) 

where 

isQuot{X, opsX, Q, opsQ) 

= 3inj:X Q. Vr, r':X. r r' <;=> {inj r) =q {inj r') A 
^q:Q. 3r:X. q =q {inj r) A 
{opsX, opsQ) e A(Ar:A, q:Q. q =q {inj r)) 

for all type expressions A{X) built using and x from X and closed type 
expressions. □ 

The same PER model used in [PA93] as a semantics for their logic, viz. 
[BFSS90], quite trivially justifies these additional axioms. Indeed, in a PER 
model all types are “quotient types” ! 

Theorem 4. In the logic ParQuot it can be proved that 

\Hmp : Bagimp. WeakSpec^ {imp) => Spec^{imp). 
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Proof. Assume that WeakSpec^ {imp) holds. Then there exists a type Rep with 
ops : BagSig(Rep) such that 

imp =Bagimp pack {Rep, ops) 

for which GenSpec{Rep, ops, ~) A {ops, ops) € BagSig{'^) A Eguiv{'^) for some 
Rep Rep *p. 

By {ops, ops) £ BagSig{'^) and Equiv{'^) there then exists a type Q with 



opsQ : BagSig{Q) and inj:Rep Q such that 

Vr, r':Rep. r r' {inj r) =q {inj r') (i) 

Mq'.Q. 3r-.Rep. q =q {inj r) (ii) 

{ops, opsQ) £ A{Xr:Rep, q:Q. q =q {inj r)) (hi) 

It follows from (hi) that pack {Q,opsQ) =Bagimp pack {Rep, ops). Using the 
definition of GenSpec, we can prove 

GenSpec{Q, opsQ, =q) (iv) 

using GenSpec{Rep,ops,^) and (i), (ii), and (iii). 

And (iv) is equivalent with Spec{Q, opsQ), and since pack(Q, opsQ) =Bagimp 
pack {Rep, ops) =Bagimp imp it then follows that Spec^{imp). □ 



Similar theorems can be proved for other ADT’s and other (equational) spec- 
ifications: For any other ADT and specification for it, a weak version of the spec- 
ification using some relation (similar to WeakSpec^) and the strong version 
using Leibniz’ equality (similar to Spec?) can be related in exactly the same way 
as in the theorem above. 

6 Conclusion 

In this paper we have explored the gap between the formal notion of parametric- 
ity of [PA93] and the important “folk” reasoning principle about ADT’s, which 
we have called abstraction. 

Roughly, this principle of abstraction says that elements of the concrete repre- 
sentation type of an ADT can be considered equal if they are not distinguishable 
using the ADT-operations. For example, if we implement bags as lists, then lists 
that are permutations cannot be distinguished using the bag-operations - they 
represent the same bag - and can hence be considered equal. To prove that such 
an implementation of bags satisfies an equational specification we may therefore 
use permutation of lists as the notion of equality. This principle of abstraction 
is a well-known reasoning principle for ADT’s. 

Parametricity provides the proof principle of simulation for existential types 
[Mit91] [PA93]. This is a useful proof principle if existential types are used for 
abstract data types: it provides a method to prove that different implementations 
of an ADT are equivalent, namely by showing that there exists a simulation 
relation between them. 
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However, we have shown that this principle of simulation alone is not enough 
to reason about ADT’s, since in general it does not provide the proof principle 
of abstraction that we want. This observation is new, as far as we know. How- 
ever, extending the logic for parametricity of [PA93] with axioms stating the 
existence of quotients is enough to solve this problem. Like the original logic 
for parametricity of [PA93] these additional axioms can be justified by a PER 
model. 

Proofs for the example of the specification for bags have all been verified 
using the interactive theorem prover Yarrow [Zwa97] . Indeed, it was only in the 
course of formalising specifications for ADT’s in Yarrow that we noticed that 
more was needed than just the proof principle of simulation to reason about 
specifications of ADT’s. 
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Abstract. Contrary to all expectations, the Au-calculus, the canonical 
simply-typed lambda-calculus with explicit substitutions, is not strongly 
normalising. This result has led to a proliferation of calculi with explicit 
substitutions. This paper shows that the reducibility method provides 
a general criterion when a calculus of explicit substitution is strongly 
normalising for all untyped lambda-terms that are strongly normalising. 
This result is general enough to imply preservation of strong normalisa- 
tion of the calculi considered in the literature. We also propose a version 
of the Acr-calculus with explicit substitutions which is strongly normal- 
ising for strongly normalising A-terms. 



1 Introduction 

The essence of the A-calculus is the /3-reduction rule {\x.M)N M[N/x\. It 

uses substitution, which is a meta-operation and not part of the calculus. This is 
unsatisfactory for implementations because the handling of substitutions is the 
difficult part and has to be done in several steps and not in one, as the /3-rule 
might suggest. Take for example environment machines for functional languages 
like OCAML, ML or Haskell: an environment is just a list of outstanding sub- 
stitutions, and replacing M for x is turned into accessing the component in the 
environment corresponding to x. As a consequence the correspondence between 
A-calculus and the implementations becomes highly nontrivial. This complicates 
reasoning about implementations significantly. 

As a way of making this reasoning easier, Abadi et al. [1] define the Acr- 
calculus, which incorporates substitutions explicitly into the calculus. For this 
purpose they introduce an extra syntactic category of substitutions, which con- 
sists essentially of a list of pairs (Mj/xi), where x, is a variable and M, a term. To 
distinguish the explicit substitution from the meta-operation, we use a different 
symbol to denote explicit substitution, e.g. the term M[N/x] in the A-calculus 
becomes M (N/x) in the Acr-calculus. The reduction rules of the Acr-calculus are 
the beta-rule, which creates an explicit substitution, and rules for carrying out 
substitutions, which formalise the standard inductive definition of substitution. 

* Research supported by EPSRC-grant GR/L28296 under the title “The eXplicit Sub- 
stitution Linear Abstract Machine”. 



J.-Y. Girard (Ed.): TLCA’99, LNCS 1581, pp. 325-339, 1999. 
Springer-Verlag Berlin Heidelberg 1999 



326 



Eike Ritter 



Because this change has only turned substitution from an implicit operation 
into an explicit one it is natural to expect the meta-theory of the Acr-calculus and 
the A-calculus to coincide. More precisely, one expects the following properties 
of the Acr-calculus: 

1. it is confluent, possibly even confluent when meta- variables are added (the 
meta- variables are useful for applications of explicit substitutions in theorem 
proving) ; 

2. the normal forms of terms are normal A-terms; 

3. each reduction step in the A-calculus gives rise to possibly many reduction 
steps in the Acr-calculus and each reduction step in the Acr-calculus corre- 
sponds to some number of ,d-reductions in the A-term which is obtained by 
eliminating explicit substitutions; 

4. the Acr-calculus preserves strong normalisation, ie., any ,d-strongly normal- 
ising A-term is also a strongly normalising Acr-term. 

The last property will be abbreviated by PSN in the sequel, and we will write 
also SN for strongly normalising. 

Abadi et al. [1] show the confluence without meta-variables and the second 
and third property for the Acr-calculus. Curien et al. [5] show that the Acr-calculus 
is not confluent if meta- variables are added. (Terms with meta- variables are often 
called open terms, and hence confluence a calculus with meta-variables is called 
confluence on open terms.) They also introduce additional syntax for special 
substitutions in the Acr-calculus. This yields a calculus which is confluent on 
open terms, the so-called Acr^-calculus. 

To everyone’s surprise the fourth property fails spectacularly. Mellies [12] 
gives a strongly normalising A-term which reduces to the identity Ax.x but nev- 
ertheless admits an infinite reduction sequence in the Acr-calculus as well as in 
the Acr^-calculus. Typing does not provide a solution: the counterexample is a 
well-formed term of the simply-typed A-calculus. 

Fixing this problem and finding a A-calculus with explicit substitutions that 
has all desired meta-theoretic properties turned out to be rather difficult. Mellies’ 
counterexample enforces severe restrictions on the possible reduction sequences. 
Since he presented this example various ways of capturing these restrictions 
syntactically have been designed. Firstly, the use of nested substitutions has 
been severely limited. This restriction is motivated by the fact that environment 
machines can be modelled without nested substitutions. In this way we obtain 
PSN because the nested substitutions are the main reason for the failure of PSN. 
Examples of this approach are the Ax-calculus [4] , the Au-calculus [2] and the A^- 
calculus [13], the last being also confluent on open terms. In the second approach, 
composition has been retained but the use of environments (i.e., substitutions 
which are lists of terms) has been severely curtailed. Examples of this approach 
are a Au^-calculus without environments [7], the Ase-calculus [10] and the Axci- 
calculus [11]. The second and third calculus are confluent on open terms, and the 
first and third preserve strong normalisation. Except from one proof of strong 
normalisation for a typed Ax-calculus using a mapping of the Ax-calculus into 
proof nets [6] all other proofs use term rewriting techniques. Recursive path 
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orderings provide a good way of showing preservation of strong normalisation 
for these calculi [3]. 

This paper pursues a different line of reasoning and uses the reducibility 
method to show preservation of strong normalisation. In [15] we used this method 
to show that all reduction strategies that first reduce an expression to weak head 
normal form and then to a normal form terminate for the typed Acr-calculus. This 
paper generalises this argument to give a criterion when a A-calculus with ex- 
plicit substitution preserves strong normalisation. This criterion ensures that all 
possible contracta of a /3-redex correspond to the stepwise execution of the corre- 
sponding implicit substitutions in the A-calculus. The criterion is a generalisation 
of the restriction in [11] which ensures preservation of strong normalisation. 

The reducibility method is powerful enough to show that preservation of 
strong normalisation follows from this condition. This method is sufficiently 
general to be applicable with minor modifications to all the calculi with PSN 
mentioned above. The modifications arise from the fact that not all calculi are 
subcalculi of the Au-calculus, and hence the proof has to be suitably adapted. 

Because the underlying A-calculus is untyped, we cannot use the standard 
reducibility method, which works only for typed calculi. We use here an adap- 
tation of the reducibility method to untyped calculi which replaces induction 
over the structure of types by induction over the length of the longest reduction 
sequence of a strongly normalising term of the untyped A-calculus. The standard 
structure of a reducibility proof is preserved by this change. 

We do not consider meta-variables in this paper as the Acr-calculus is not 
confluent on open terms. The criterion can also be stated for the Acr^-calculus, 
and it should be possible to extend the results of this paper to this calculus 
as well. 

The paper is structured as follows. In section 2 we review our version of 
the Acr-calculus. The core of the paper is section 3, where we define the crite- 
rion for preservation of strong normalisation and use the reducibility method to 
show that the criterion is valid. In section 4 we present a restriction of the Acr- 
calculus which preserves strong normalisation. We finish by showing preservation 
of strong normalisation by applying the criterion for all the calculi mentioned 
above. 

2 A version Acr-calculus with names 

In this section we review our version of the Acr-calculus. Abadi et al. [1] use 
mainly a version with de Bruijn-numbers but mention also briefly versions with 
names without proving all meta-theoretic properties. We use here a version of 
the Acr-calculus with names and explicit weakening, which we call Acr„-calculus. 
The use of names improves the readability significantly, and the weakening is 
necessary to state the condition for preservation of strong normalisation. We 
present the version with names in this section and relate it in the appendix 
to the original presentation with de Bruijn-numbers. The results shown in this 
paper hold also for a calculus with de Bruijn-numbers. 
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The raw expressions of the (untyped) AiJn-calculus are given by the following 
grammar: 

M::=x I Xx.M \ MM \ M{f) 

/::=weak(X) | M/x-f \ f of 

where a; is a variable and X is a set of variables. We call expressions of the first 
kind terms and expressions of the second kind substitutions. Moreover, we write 

Mn/Xn ■ "Mi/xi ■ f for Mn/Xn ' {Mn-i/xn -1 {Mi/xi •/)•••) and write Id 

for weak(0) whenever convenient. We also write extx{f) for xfx-{fo weak(a:)) 
and weak(X, x) for weak(X U {i}). 

We identify terms which are identical up to change of bound variables. We 
have three binding operations: A-abstraction, composition of substitution o and 
application of a substitution _(_). In the sequel we will always use Barendregt’s 
variable convention: the names of bound and free variables are different for any 
expression in any context. In particular, we identify the terms x{N/x ■ /) and 
y{N/y ■ /). For details see [14,16]. 

To rule out ill- formed terms like N/x ■ {M/x • f) we introduce typing judge- 
ments r \- M: Q and F \- f: A, where F and A are lists of variables with no 
variable occurring twice. The idea is that F contains the free variables of M and 
/, and A contains the variables for which the substitution / provides terms to be 
substituted for. Because we have an untyped calculus, we use fi as the universal 
type. These judgements are as follows: 

(i) On terms: 

F,x^ M-.n 

F,x,FMx:f2 F h Xx.M:f2 

F\~ M:f2 Fh N:{2 F h f: A Z\hM:l7 
F h MN: n F h M(/): I? 

(ii) On substitutions (In the first rule, F' is the list F with all variables in X 
deleted, and all variables in X occur also in F): 

F\- f: A FhM:f2 ^ 

F h weak(X):T' F h M/x ■ f:A,x ^ ^ Z\) 

Fh f-.F' FM g: F" 

r^gof-.F'' 

In the sequel we consider only well-formed terms and substitutions. 

The syntax of the Acr„-calculus is best explained by relating the terms with 
explicit substitutions to terms with the usual implicit substitution of the simply- 
typed A-calculus. The basic idea is that a substitution / in the A(T„-calculus cor- 
responds to a list of terms M = (Mi, . . . , Mn) in the A-calculus. The operation 
_(_) in the Acr„-calculus models the explicit substitution: a term M{f) in the 
A(T„-calculus corresponds to a term M[M/x] ^ in the A-calculus. 



^ We write M[M /x] for M[Mi/Mi, . . . ,M„/M„], and will use the vector notation in 
a similar way in the future. 
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The substitution weak(X) models weakening: The term M(weak(a;)) is only 
well-formed if x is not free in M. The operation o models nesting of substitutions: 
the substitution {M/y ■ Id) o [N/x ■ Id) corresponds to the substitution operator 
[M/y][N/x] in the A-calculus. We have two kinds of reduction rules: firstly, a f3- 
reduction rule {\x.M)N M{s/x ■ Id), and secondly rules which formalise the 
inductive definition of implicit substitutions. We call the latter rules cr-rules. The 
reduction rules are given in Figure 1. We denote by the transitive closure of 
the relation and by the reflexive and transitive closure of 



{Xx.M)N M{N/x ■ Id) 


x{M/x ■ f) M 


y{M/x ■ f) y(f) if a; 7 ^ y 


®(weak(X)) x 


{Xx.M){f) Xx.M{extx{f)) 


{MN){f)-^{M{f)){N{f)) 


weak(X)o(M/o; • /) M/x- (weak(X)o/) if x 


fo\A^f 


weak(X, x)o{M/x ■ f) ^ weak(X) o / 


Id o / -^ / 


weak(X) o weak(Y) ^ weak(X, Y) 


M(ld) M 


{M- f)og-^ {M{g)) - {fog) 


{f og) oh f o{g oh) 


M{f){g) M{fog) 




Fig. 1. Reduction rules for the A(r„-calculus 



This notion of reduction satisfies all desired properties except preservation 
of strong normalisation. The proof of this proposition uses the interpretation 
method [9]. 

Proposition 1. This notion of reduction is ground confluent (i.e., confluent on 
expressions without meta-variables) , and the normal form of terms are normal 
X-terms. If M M' , then also M'®, where M® is the X-term obtained 

by applying all a-rules and hence executing all explicit substitutions. Moreover, if 
the term M reduces to M' in the X-calculus, then M M' in the Xan-calculus. 

A substitution in normal form is an environment M ) x ■ weak(X), where the 
terms in M are normal A-terms. 

3 Preservation of Strong Normalisation 

Mellies [12] gives a counterexample to preservation of strong normalisation for 
the Acr-calculus. This counterexample applies to many A-calculi with explicit 
substitution, in particular to the A(r„-calculus used in this paper. It is based on 
a nasty interaction between explicit substitution and /3-reduction. Mellies gives a 
term of the simply-typed A-calculus which reduces to the identity but which ad- 
mits an infinite reduction sequence. He exploits that in the term {{Xx.M){f))N 
the term N can interact with the substitution / by the reduction sequence 

{{Xx.M){f))N {Xx.M{extx{f)))N M{ext;c{f) o {N/x -\d)) 

M {N/x ■ (/ o weak(a;) o {N/x ■ Id))) 



( 1 ) 
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Although X does not occur in f, Mellies now pushes the substitution weak(i) o 
{N/x ■ Id) inside / and manages thereby to create a reduction sequence M 
M' , where M is a proper subterm of M' . This continuation is counterintuitive: 
the variable x does not occur in /, so the only meaningful reduction sequence is 
/ o weak(a;) o (N/x ■ Id) 

In this section we show that any restriction of the reduction relation for 
which the substitution / oweak(a;) o (N/x ■ Id) is SN if / and N are SN preserves 
strong normalisation. We adapt the reducibility method to show this claim, 
and give a reduction relation for the Aun-calculus with this property in the 
next section. The idea of the reducibility method to show SN for the simply- 
typed A-calculus is to define a subset of A-terms, the so-called reducible terms, 
which are SN and in addition satisfy strong closure properties. Now proving 
strong normalisation amounts to showing that every term is reducible. The key 
condition is the definition of reducibility for terms of type A ^ B: A term M of 
type A ^ B is reducible if for all reducible terms N of type A, the term MN 
is reducible of type B. Then one shows by an induction over the structure of 
the term M that any term M[Ar/a;] is reducible if all terms in N are reducible 
and X is the set of free variables of M. The critical case in this proof is the case 
of a A-abstraction Xx.M. One has to show that any term ((Xx.M)[N/x])N is 
reducible for any reducible term N. It turns out that it is enough to show that 
this term reduces to reducible terms only. This is easy to see, as by induction 
hypothesis the term M[N/x, N/x] is reducible. 

If we transfer this approach to a calculus with explicit substitutions, the de- 
finition of reducibility stays unchanged, and one shows by induction over the 
structure of M that for any reducible substitution / the term M (/) is reducible. 
Again, the interesting case is the case of a A-abstraction (Xx.M)(f). The re- 
duction sequence in (I) is exactly the one which causes this proof to fail: there 
is no way to derive reducibility of / o weak(x) o (M/x ■ Id) from the reducibil- 
ity of / and M. This is the only place where the reducibility proof fails. We 
show in this paper that the reducibility proof goes through if we require that 
/ o weak(x) o (M/x ■ Id) is SN if / and M are. 

Because we consider an untyped A-calculus in this paper, we cannot use an 
induction over types as in the standard reducibility proof. The induction over 
the type structure is replaced by an induction over i>^(M), where v^(M) is 
the length of the longest /3-reduction sequence of the A-term which is obtained 
from M by executing all explicit substitutions. If this A-term is not strongly 
normalising, then set v^(M) = oo. In the typed case, the reducibility of a term 
of function type is tested by applying it to reducible arguments; in the untyped 
setting the reducibility of a term is tested by applying it to reducible terms Mi 
such that v^(Mi) is smaller than v^(M). 

The definition of reducibility has to consider also finite expansions of a term 
M and a substitution / by the associativity rules (f o g) o h f ° id ° 
^{ 9 ) if) ^{ 9 ° f)- We call the congruence relation generated by these reduc- 

tion rules R. From now on until the end of this section we will consider only the 
equivalence classes of terms modulo R. It is easy to see that if this equivalence 
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class is SN without these two rules, any term of this equivalence class is SN even 
with these rules. 

Now we turn to the precise statement and proof of the criterion. To state the 
criterion we need to identify all substitutions which could arise as a result of the 
reduction sequence (1). 

Definition 2. (i) Let f = fnO fn-i°' ' fm° fi be any substitution 

with m < n. We call the substitution fn o • • • o fm+i o weak(a;) o extx{fm) ° 
■ • ■oextx(fi) a X-extension of f with extension variable x. The special case 
m = n denotes the substitution ext^^fm) o ■ ■ ■ o extx(fi). 

(ii) We call g an i-fold X-extension of f with extension variables Xi if there 
are substitutions / = /o, /i, • • • , /i = 5 such that fj is an extension of fj-i 
with extension variable Xj and Xj = Xj-i U {xj} for all 1 < j < i. 

(Hi) Let fn o fn-i o • • • o o - ■ - o fi be any substitution. For any k < m < n and 
any term M we call the substitution fn°' ' 'o/m+i oweak(x)oext 2 ,(/m)o- • -o 
extj;(/fc_|_i)o(M/a;- ld)o/fcO- • -ofi a (3-extension of f with extension variable 
X. We call the term M {f^o- ■ -ofi) the extending term. The special case m = 
n denotes the substitution extx(fm)o- ■ ■oextx{fk+i)o(M/x-\d)ofi; 0 - ■ -ofi. 

(iv) We call g a X(3-extension with extension variables X U {*} and extending 
term M of f if there exists a (3-extension f of f with extension variable 
X and extending term M such that g is a k-fold X-extension of f with 
extension variables X. 

(v) The term M{g) is called a k-fold X-(X(3-) extension of M{f) if g is a X- 
(X(3 (-extension of f such that the extension variables of g are not free in 
M. A 0-fold X(3-extension of M{f) is an i-fold X-extension of M{f) for 
some i. 

Now we can state the criterion. 

Definition 3. A reduction relation on expressions of the Xan-calculus is 
called strong normalisation-preserving if the following two conditions 
are satisfied: 

(i) Let'^o be the reduction relation of Figure 1. If M M' , then also M 

M' and if f ^ f , then f f ; 

(ii) For any substitution f and any X-extension h of f and any /3-extension g 
of f with extending term M , g and h are SN if both f and M are. 

Note that for any A/3-extension f of / and any variable y ^ x, where x is the 
extension variable of the /3-extension of /, we have that v^{y{f')) = v^{y{f))- 
Similarly, any A/3-extension M' of M satisfies v^{M') = v^{M). 

Now we can define reducible expressions. The standard definition defines 
reducible terms of ground types to be exactly the strongly normalisable terms 
and reducible terms of function type to be those terms which when applied 
to a reducible term yield a reducible result. As already mentioned, we have to 
replace the induction over the structure of types by an induction over v^{M). 
This exploits the fact that {N/x-\6)) < {{Xx.M)N). Hence we define not 

reducible terms, but reducible terms of grade n with n > 0. We also add closure 
properties for preservation of strong normalisation by extending substitutions. 
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Definition 4. i Call a sequence of terms Ni,...,Nm with m > 1 a test- 
sequence for M of degree n if Ni G Red{ni) with v^{MNi ■ ■ ■ Nm) — 1 < 
Ui < n for all 1 < i < m. 

ii Define the set of reducible terms of degree n for any n > 0, written Red{n), 
inductively as follows: 

— A term M is an element of Redifi) if v^{M) = 0 implies that M and 
any X-extension of M are SN. 

— M is reducible of degree n > 0 if v^{M) > n or v^{M) < n and for 
every j-fold extension M'{h') with 0 < j < n such that all extending 
terms are SN and reducible of degrees n > k\ > ■ ■ ■ > kj > {M' {h')) , 

the following conditions are satisfied: 

• M'(h') is SN; 

• For all terms M" and substitutions h such that that M'{h') 
{\x.M"){h) and for all test- sequences Ni, . . . , Nm for M'{h') of de- 
gree n such that 

vf^{M'{h')Ni---Nm) < kj 

(if j = 0, thenvi^{M' {h')Ni ■ ■ ■ Nm) <n), 

there exists a term (Xx.P){f) such that firstly (Xx.P){f) 
(Xx.M"){h) and secondly, for any XP-extension 

f = extro(fm) O • • • o exta;{fk+i) o {N'/x ■ Id) o o • • • o /i 

of f = fm o ■■■ o fk +1 ° /fc ° ° /i with extending term Ni we have 

Xi{f) G Red{di) and 

v^{{P{f'))N2 • • • Nm) <di<n 

for all free variables x, of P, and also P{f) G Red{d) with 

vi^{[P{f'))N2---Nm)<d<n. 

The last clause is the appropriate generalisation of the standard reducibility 
condition: a term of fnnction type is reducible if it is SN and whenever it reduces 
to a A-abstraction, the result of applying this function to a reducible term is 
reducible again. 

Note that reducibility of degree n does not imply strong normalisation. This 
implication is only guaranteed for terms M with h'i^(M) < n. This is the major 
difference to the standard redncibility proof. The next lemma states two basic 
properties of reducible expressions. 

Lemma 5. (i) If M is reducible of degree n and vi^{M) < n, then M is SN. 

(ii) Red{n) C Red{n — 1) for all n > 0. 

The next lemma states that reducibility is preserved by extensions of substi- 
tutions. 

Lemma 6. Let f be a substitution such that f is SN and y{f) G Red{n) for 
some variable y. 
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(i) If Q G Red(k) with k < n and Q is SN, then for any \fI-extension g of f 
with extending term Q and extension variable x both terms x{g) and y{g) 
are reducible of degree k. 

(ii) For any X-extension g of f, if x{f) is reducible of degree n, so is x{g) for 
any variable x. 

Proof, (i) Definition 3 implies that g is SN. By definition of reducibility, y{g) 
is reducible of degree k for any variable y ^ x. For the variable x, consider 
any j-fold A/3-extension M of x{g). Now one shows that M is SN if all 
j-fold A/3-extensions of Q are SN and that M {Xz.N){h) implies that 
for some j-fold A/3-extension Q' of Q, Q' '^* {Xz.N){h). It is then easy to 
see that x{g) is reducible. 

(ii) Similar argument. 

Now we can show that every expression is reducible. 

Theorem 7. Consider any X-term M . Let f be a substitution such that f is 
SN and Xi{f) is reducible of degree n for all free variables Xi of M . Then the 
expression M (/) is reducible of degree n as well. 

Proof. We use induction over n, and for each n an induction over the structure 
of M. 

X : Assumption. 

Xx.M: Let 5 be a j-fold A/3-extension of /. By Lemma 6, for each free variable 
y of Xx.M the substitution y{g') is reducible of degree kj with n > kj > 
v^{{Xx.M){g)), where g' is the A-extension obtained by pushing g under the 
A-abstraction. Hence by induction hypothesis, M{g') is SN, and hence also 
(Xx.M){g) is SN. 

For the second condition, let g be any j-fold A/3-extension of /. Again by 
Lemma 6, for the A/3-extension g' of g with extending term A^i, the term 
x(g') is reducible of degree k with k > v^{{M{g'))N 2 ■ ■ ■ Nm) for all free 
variables x of M. Hence by induction hypothesis, M{g') S Red{k). 

MN : If there are no M" and /' such that M{f) (Ax.M")(/'), the sec- 
ond condition is vacuously true, and the first condition holds by induction 
hypothesis. 

If there are such M" and /', then consider any j-fold A/3-extension g of /. 
Now consider terms Ni . . . , Nm with m > 0 such that Aj £ Red{ni) and 
m > v^{{MN){g)Ni • ■■Nm) for all 1 < i < m . By induction hypothesis, 
whenever M{g) '^* {Xx.P){h), then there exists a term {Xy.Q){h') such that 
M{f) '^* {Xy.Q){h') and {Xy.Q){h') {Xx.P){h) and for the A/3-extension 

h” of h' with extending term N{g), we have v^{{Q{h"))Ni ■ ■ ■ Nm) < di < n, 
where di is the degree of Xi{h") for the free variables Xj of Q. Hence by 
induction hypothesis Q{h") G Red{d), where v^{{Q{h''))Ni ■ ■ ■ Nm) < d < 
n. Now it is easy to see that MN{g) is reducible of degree n. 

Preservation of strong normalisation follows now as an easy corollary by applying 
the previous theorem to the empty substitution. 
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Corolloray 8. Assume satisfies the condition of Definition 3. Let M be any 
strongly normalising \-term. Then M is a strongly normalising term of the Acr„- 
calculus. 

Proof. Using Lemma 6, one shows that a;(ld) S Red{n) for all n. By the previous 
theorem, M(ld) £ Red{v^{M)). Hence by Lemma 5 M is SN. 

Note that both the theorem and the corollary do not say anything about 
substitutions. The reason is that it is difficult to state the preservation of strong 
normalisation for substitutions. For a typed calculus, this proof can be extended 
to show that a typed A(r„-calculus with this restriction is strongly normalising. 
This includes the substitutions. Using Ghani’s techniques [8] we can extend this 
proof also to the ry-rules. 

4 A strong normalisation-preserving restriction of the 
AcTjj-calculus 

The previous section gave a condition when a reduction relation on the A(T„- 
calculus preserves strong normalisation. In this section we give a concrete exam- 
ple of such a relation for the AiTn-calculus. It suffices to restrict the reduction 
rule which carries out nested substitutions, namely 

(0 - nat) {M/x ■ g) o f ^ M{f)/x ■ {go f) 

in such a way that weakening operations are carried out as early as possible. 
More precisely, the reduction rules are the rules for the AiTn-calculus with the 
exception of this rule, which is replaced by the two rules 

{M/x ■ g) o {{N/y ■ f) o h) ^ {M {N/y ■ f)/x - {go {N/y ■ /))) o h 
{M/x ■ g) o {N/y ■ f) ^ M {N/y ■ f)/x- {go {N/y ■ /)) 

Note that the explicit weakening makes it possible to formulate these two rules 
as unconditional rewrite rules, be., without a side condition on free variables as 
in [11]. All reduction rules are local in the sense that their applicability can be 
decided by inspecting the top of the syntax tree only. This means these rules are 
directly suitable for an abstract machine. 

To achieve confluence we add the rules 

x{{M/x- g) o f) ^ M{f) 
y{{M/x ■ g) o f) y{g o f) ii x y 

weak(X, x) o {{M/x • f) o g) weak(X) o {f o g) 

weak(X) o {{M/x • f) o g) ^ M/x ■ (weak(X) o (/ o g)) ii x ^ X 

These rules are derivable in the original calculus but no longer in the restricted 
one. We denote this restricted reduction relation by '^p. 

If we apply this restriction to the reduction sequence (1) at the beginning of 
section 3, we see that with this restriction there is no way that the substitution 
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N/x • Id can interact with the snbstitution /: if / is a snbstitution M/y ■ g, then 
the rednction seqnence 

(M/y-g) oweak(x) o [N/x • Id) M (weak(a:) o [N/x • Id)) • (goweak(x) o [N/x - Id)) 

is not allowed. The only possible reduction sequence (apart from reductions 
inside M, N and g) is [M/y ■ g) o weak(x) o [N/x • Id) [M/y ■ 5) o Id which 
eliminates any possible interaction. 

This restriction is still confluent and refines the ^0-reduction of the A-calculus. 



Proposition 9. The notion of reduction -^p is ground confluent, and the nor- 
mal form of terms are normal X-terms. If M '^p M' , then also M'®, 

where M® is the X-term obtained by applying all a-rules and hence executing all 
explicit substitutions. Moreover, if the term M reduces to M' in the X-calculus, 
then M M' in the Xan-calculus. 

Next we show that this notion of reduction is SN. We use the criterion of 
Definition 3. A key step in the proof is the following Lemma, which uses the 
restriction of the rule (()-nat) in an essential way. 

Lemma 10. If f is SN, so is f o weak(X) for any set X. 

Now we can prove the main theorem. 

Theorem 11. Let M be any strongly normalising X-term. Then M is a strongly 
normalising term of the Xan-calculus with respect to the reduction relation '^p. 

Proof. By Corollary 8 it suffices to show that any A-and ,0-extension of any 
substitution / is SN provided / and the extending term are SN. We show here 
only the case of the /3-extension; the case of the A-extension is similar. So we 
have to show that g o weak(x) o extx[gn) o • • • o extx[gi) o [N/x ■ Id) o / is SN 
provided gognO- ■ -ogiof and N(f) are SN. Now consider the inductively defined 
substitutions ho = [N/x- ld)o/ and hk+i = x[hk)/x- (gfc+i oweak(x) o h^) which 
arise by applying the rules replacing ()-nat to the substitution g o weak(x) o 
extx[gn) o ■ • 'O ext3,(gi) o [N/x - Id) o /. Lemma 10 shows that it suffices to prove 
that x[hk)/x - [g o gn o - - - o gk+i ° weak(x) o hk) is SN. For this, we show by 
induction over the lexicographically ordered pair (m -I- k, v[fi) -I- v[f2) + v[fs)) 
that x(/i)/x-(/20weak(x)o/3) is SN whenever hm '^p fi, gogn°- ■ -offfc-i-i '^p f2 
and hk '^p fz. The restriction of the rule (()-nat) implies that this substitution 
can be reduced in one step only to 

- x[fi)/x - [f2 og'k° weak(x) o /') with gk g/ and and also hk-i /'; 

- x[fi)/x- [f2 o weak(x) o /') with fz '^p /'; 

- x[fi)/x- (5' oweak(x) 0/3), where /2 '^p g'\ 

- x[f)/x - [f2 O weak(x) o f^) with hm-i '^p /'; 

- x[f')/x - [f2 oweak(x) o f^) with fi ^p f. 

All these substitutions are SN by induction hypothesis, hence x[fi)/x - [f2 o 
weak(x) 0/3) is SN. 
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5 Preservation of strong normalisation for other calculi 

The criterion in definition 3 also yields the preservation of strong normalisation 
for other calculi in the literature, e.g., the Au-calculus [2], the A^-calculus [13], a 
Acrff-calculus without environments [7] and the Axci-calculus [11]. As an example 
for the argument, we consider the Ax-calculus [4], This calculus has the raw 
expressions M ::= a; j Xx.M \ MM \ M(a: := M) . with no separate syntactic 
category of substitutions. The reduction rules are 

{\x.M)N ^ M{x := N) 

{Xx.M){y := N) Xx.M{y := N) 

{MN)\x := P) {M(x ;= P)){N{x ;= P)) 
x{x := M) ^ M 
M{x ■.= N)'^ M \ix^ FV{M) 

For the proof it is convenient to re-introduce this distinction and present the 
syntax with two categories, namely terms and substitutions: 

M::=x 1 Xx.M \ MM \ Mf 
f ;;= {x := M) 1 f{x := M) 

We identify the terms {Mf)g and Mh where / = {xi := Mi) • • • {xn := Mn), 
g = {yi := Ni) ■ ■ ■ {ym := Nm) and h = {xi := Mi) ■ ■ ■ {xn := M„)(yi := 
A^i) ■ ■ ■ iUm '= A7m)- To state the criterion for preservation of strong normalisa- 
tion, we have to analyse the reduction sequence (1) at the beginning of section 3. 
This sequence is now {{Xx.M)f)N {Xx.M f)N Mf{x := N) Because 
there is no rule for composition of substitution it is trivial that f{x := N) is 
SN if / and N are. Hence the criterion for PSN is satisfied. An extension of a 
substitution / is now a substitution f{x := M), where x does not occur freely 
in /, and an extension of Mf is a term Mf{x := N) where x does not occur 
freely in M nor /. Now the proof of section 3 goes through. Because a reduction 
in the Ax-calculus cannot be mapped directly to a sequence of reductions in the 
Acn-calculus it does not suffice to check the criterion and then to appeal to PSN 
for the A(T„-calculus. 

6 Conclusions 

This paper presents a criterion for the preservation of strong normalisation in 
calculi with explicit substitutions. The proof uses a novel adaptation of the re- 
ducibility method to the untyped A-calculus. The criterion can be easily checked 
and yields the preservation of strong normalisation of various common calculi 
with explicit substitution. This method applies to typed A-calculi as well, where 
the standard reducibility method can be used. 

The transfer of the reducibility method to the untyped A-calculus could show 
the way for the transfer of reasoning principles of the typed A-calculus to the 
untyped A-calculus. In particular it might be possible to transfer logical relations 
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to the untyped A-calculus and replace the induction over the type structure by 
a computation induction, ie., an induction over the number of /3-reductions in 
a computation. 
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Appendix 



The relation between the Acr-calculus and the AcTji-calculus 



This appendix sketches the relation between the Acr-calculus and the 
Acr„-calculus. names and with de Bruijn- numbers. The raw expressions of the 
Acr-calculus are 

M ::= n I AM I MM \ M{f) 

/::=ld I Fst I M-/ I /o/ 

where n is an integer such that n > 1, and the reduction rules are 



{XM)N M{N ■ Id) 
n + 1{M ■ f) n{f) 

(AM)(/)^AM(l-(/oFst)) 
/ o Id ^ / 

Fst o (M ■ f) f 
{M ■ f)og'^ (M {g)) - {fog) 
M{f){g) ^ M{f og) 



1{M- f)'^ M 
n (Fst) n -F 1 

(MiV)(/)^(M(/))(iV(/)) 
Id o / ^ / 

M(ld) M 
if o g) o f o {g o h) 



The relation between the version with names and the version with de Bruijn- 
numbers is investigated in [14]. Here we only give translations between the two 
versions and state their properties. The translation from the calculus with names 
to the calculus with de-Bruijn numbers depends on a context which lists all free 
variables. If T is a list . . .xi which includes all free variables of the expressions 

with names M and /, we define expressions with de Bruijn-numbers (T, MY^ 
and (T, fY^ by induction over the structure of M and /. For the definition 
of the translation of / we need to determine the list of variables for which / 
provides a term to be substituted for. 



((X„, . . .,Xi),Xk) 

{{r,Xx.M)) 
{{r,MN)) 
{r,M{f)) 
(F, Id) 



dB 

dB 

dB 

dB 

dB 



{{Xn, ■ ■ ■ ,Xi),wea.'k{X)Y^ 



{r,gofY^ 



— ^ 

= x{{{r,x),MY^) 

= {r,MY^{r,NY^ 

= {A,mY^ if {rjY^ = {g,A) 

= (ld,F) 

(1 • (g o Fst), {A, xi) ifxi ^ Xand 

{{Xn, . ■■,X2), 

weak(X))'^^ = (5, 

{g o Fst, A) ifxi G Xand 

{{Xn, . ■■,X2), 
weak(X \ {xi}))'^^ = 

= {h2 0h,,r2) if {rjY^ 

= (hi. A) and {ri,gY^ = (A, A) 
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The translation in the other direction again depends on an association to 
names to the free variables of M and /. Given a context Xn, ■ ■ ■ and an 
expression with de Bruijn- numbers, we define an expression with names by 

.. \ ,\N f if 1 < k < n 

((xn,...,xi),k) j otherwise 

(r, XM)^ = Xx.{{r, x), M)^ (if X not contained in F) 

{F, MN)^ = {F, M)^{F, N)^ 

{F, M{f)r = {A, M)^{g) if (r, f)^ = {g, A) 

{F, Id)^ = {F, Id) 

{{F, x), Fst)'^ = (weak(i), F) 

(F, M-f)^ = ((F, M)^ ■ g, {A, x)) if x ^ A and {F, f)^ = {g, A) 

{g o = {h 2 O hi, F 2 ) if (T, f)^ = (hi. A) and (A, g)^ = (hs. A) 

If one translates a de-Bruijn-expression into an expression with names and 
back, one obtains the same expression. This is not true if one translates an 
expression with names into a de Bruijn-expression and back: the reason is that 
the substitution weak(x) is more general than the weakening operator Fst in 
the de Bruijn-calculus. Both translations preserve reduction. The details are as 
follows. 

Proposition 12. (i) Let M and f be expressions with names and let F be a 

context which contains all free variables of M and f. If M M' and f 
f , then also (A (A M'Y^ and g g' where (A fY^ = (l?; A) 

and {F,fY^ = (g',A). 

(ii) Let M and f be expressions with de Bruijn-numbers and F a context such 
that (A M)^ and (A f)^ defined. Then (A (A M)^Y^ = ^ o,nd if 
(A f)^ = {9, A), then (A gY^ = (/> A). 

( Hi ) Let M and f be expressions with de Bruijn-numbers and let F be a context 
such that {F, M)^ and {F, f)^ are defined. If M M' and f f , 
then also (A M)^ (A M')^ and g g' where (A f)^ = (<?; A) and 
{FjT = ig',A). 

This proposition shows the close connection between the version with names 
and the version with Bruijn-numbers: there is a one-to-one correspondence be- 
tween the two calculi except for the generalised weakening operation in the 
calculus with names. The proposition also shows that if preservation of strong 
normalisation holds in one calculus it holds also in the other calculus. 
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Abstract. We introduce Ae, a simply typed calculus with environments 
as first class values. As well as the usual constructs of A and applica- 
tion, we have e|a] which evaluates term a in an environment e. Our 
environments are a set of variable-value pairs, but environments can 
also be computed by function application and evaluation in some other 
environments. The notion of environments here is a generalization of ex- 
plicit substitutions and records. We show that the calculus has desirable 
properties such as subject reduction, confluence, conservativity over the 
simply typed A/3-calculus and strong normalizability. 



1 Introduction 

In this paper, we solve the problem of designing a pure fnnctional language that 
has explicit environments. We understand that a functional language is pure if 
(i) it is a conservative extension of the untyped or simply typed A/3-calculus, (ii) 
confluent and (iii) strongly normalizing (SN) if the language is typed and has 
preservation of strong normalization (PSN) property if the language is untyped. 
The conservative extension property guarantees that the language is logically 
well-behaved and the confluence property and SN or PSN would guarantee that 
the language is computationally well-behaved. 

What do we mean by explicit environments? An explicit environment is a set 
of variable- value pairs representing a finite function from variables to values 

(i) which is equipped with an operation -J-]] such that, e|a] is the evaluation of 
a term a in the environment e, and 

(ii) which can be the argument or result of a function. (It is a “first class value”.) 

Explicit environments can be regarded as a generalization of explicit substitu- 
tions and records: 

— An explicit substitution has property (i) above but not (ii). 

— A record has property (ii) above but not (i). 

Without the purity conditions, there are already several languages with 
explicit environments. For example, several versions of the programming lan- 
guage Scheme have explicit environments. The Pebble language of Lampson and 
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Burstall [8] also treated explicit environments (bindings). It used dependent 
types and no confluence result was obtained. Nishizaki [9,10] also attempted to 
treat explicit environments. But, his system does not satisfy the conservative 
extension condition because he avoided the problem of defining the set of free 
variables for a term of his language. As we will soon see, giving a correct defini- 
tion of free variables in a term becomes a difficult problem if the term in question 
contains variables whose values are environments. These languages are, however, 
exceptional, and in most programming languages, environments are implicit in 
the sense that they are used at meta-level as a device for giving formal seman- 
tics of these languages or they are used when implementing these languages, but 
they do not appear as syntactic entities of these languages. 

On the other hand, there are quite a few typed or untyped calculi of explicit 
substitutions including [1,2, 3, 7], and some of these are pure in our sense. How- 
ever, to the best of our knowledge, there are no calculi of explicit substitutions 
in which substitutions are first class objects. So, we believe that our language is 
the first pure language that has substitutions as its first class objects, since as 
we explain below we may regard environments as substitutions. 

Our use of ‘environment’ derives from LISP which has explicit environments 
in our sense. In what follows we will generally just say ‘environment’ for ‘explicit 
environment’ where the context makes this clear. A concept closely related to ex- 
plicit environment is let declaration (SML) or local definition. In SML, declara- 
tions are not first class values, but they do permit some combination operations, 
such as ;. 

Let us compare these language features, showing notations and their expres- 
sivity. When we give the formation rules for our calculus with environments we 
can be more precise. 

— Explicit environment {a/x, &/y}|c]: Evaluate term c in an environment which 
binds cc to a and y to b. 

— Explicit substitution [x \= a, y := b\c: Substitute a for x and b for y in term 

c. 

— Record [x = a, y = b].x: Extract the x field of the record [x = a, y = b]; x is 
a field name. 

— Let let X = a and y = b in c: Declare local variables x with value a, y with 
value b. Use these to evaluate c. 

The syntax for these features show that our environments are the most gen- 
eral allowing terms for both e and a in e|a]. 



Explicit environment 


term|[term| 


Explicit substitution 


[var term, . . . , var := termjterm 


Record 


term.fieldName 


Let 


let declaration in term 



In the above table, declaration (d) is defined by the grammar: 
d ::= var = term \ d;d \ d and d \ local d in d. 
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In section 2, we introdnce a typed language Ae by introducing typing rules for 
terms that will determine the (typable) terms of the language. In section 3, we 
give reduction rules of the Ae-calculus and prove the subject reduction theorem 
for the calculus. In section 4, we prove the confluence of Ae and prove that the 
Ae-calculus is a conservative extension of the simply typed A/3-calculus. In section 
5, we prove the strong normalizability of Xe. By the results obtained in sections 
3-6, we can see that Ae provides a language we wanted to design. In section 6, we 
give concluding remarks. Due to lack of space, we have omitted some lemmas 
and almost all proofs. A full version of this paper with proofs is accessible at 
http : //www . sato . kuis . kyoto-u . ac . jp/~masahiko/index-e . html. 
Acknowledgements We thank Takayasu Ito and Yukiyoshi Kameyama for 
helpful comments on earlier versions of the paper. 



2 The Type System 

In this section we introduce the Ae-calculus^ as an extension of the simply typed 
A/3-calculus. We assume that we have an infinite set of variables which is a dis- 
joint union of an infinite set of bindable variables and an infinite set of unbindable 
variables. We will design our syntax in such a way that an unbindable variable 
never gets bound. The distinction of these two kinds of variables will become 
important only in the proof of strong normalizability of our calculus. So, until 
then, the reader may read the paper assuming that all the variables are bindable. 

The untyped Xe- terms are defined by the following grammar, where z ranges 
over variables (bindable or unbindable), x over bindable variables and xi, . . . , Xn 
(n > 0) are distinct bindable variables. 

a, b, e ::= z I Xx.b \ ba \ {ai/xi, . . . , On/xn} | e|a]. 

For each term a we associate a finite set II {a) of strings over 1, 2, . . . , which 
we call positions, as follows. We call this set the position set of a. We use A to 
denote the empty string and tt, a, t etc. to denote positions. 

1. n{x):={A}. 

2. n(Xx.a) := {A} U in{a). 

3. n{ba) := {A} U 17T(6) U 2iT(a). 

4. n{{ai/xi, . . .,an/xn}) := {A} U lIT(ai) U ■ • ■ U nil [an). 

5. iT(e|a]) := {A} U liT(e) U 2iJ(a). 

For each tt S II {a), we associate a term o/tt as follows. 

1. a/ A := a. 

2. Ax.o/Itt := o/tt. 

3. 6a/l7T := 6/7T, 6a/27T := o/tt. 

4. {ai/xi , . . .,anlxn} jir: ■■=aij'K (1 < f < n). 

5. e|a]/l7T := c/tt, e|a]/27T := o/tt. 



1 



£ is for environment. 
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If 6 = c/tt, then we say that b occurs in a at position it. Let tt and a be positions. 
We write tt < it if tt is an initial substring of a , that is, cr = tttt' for some tt'. We 
write TT < (T if tt' ^ yl. 

We define types (A, B) and environment types (E) simultaneously as follows, 
where K ranges over atomic types and in the definition oi E, n > 0, Xi must be 
bindable variables and must be distinct. 

A,B ::= K \ E \ B 
E::={xt\...,x^-} 

li E = {x^^ , • • • , we say that xf^ (1 < * < n) are in the environment type 
E. If a term e has type E by the typing rules we introduce below, then e is an 
environment and it is a first-class value of the calculus. 

A declaration is an expression of the form x'^ where x is a variable and A is 
a type. A context is a sequence xf^ , . . . , of declarations. We use E, A etc. 
as meta variables for contexts. As notational conventions, we will write F, A for 
the concatenation of the contexts F and A. Also, F — E will denote the context 
obtained from F by removing all the elements in E from F. 

A typing judgment is an expression of the form F \- a : A where A' is a 
context, a is a (typed) Ae-term and A is a type. We have the following typing 
rules that are used to derive typing judgments, where rules whose names end 
with ‘I’ (‘E’) introduce (eliminate, respectively) the types mentioned in the rule 
names. 



x"^ h x"^ : A 



(assume) 



F'^b-.B 



F - {x^}^ Xx^.b: A^ B 

F b : A B Z\ha:A 
F,A\-ba:B 

Fi \- ai : Ai • • • lAi h a„ : ^ 



i^I) 



i^E) 



A, • • - h {ai/xf\. ...anjx^^} : {xf \. . .,x;^"} 



(env/) 



Fhe:E Z\l-a:A 
F, (A - E) h e|a] : A 



(envE) 



In (=>/), X must be a bindable variable. We see by the (env/) rule that the 
environment type {xf\...,x^"} for n = 0 becomes the unit type {} whose 
unique element is the empty environment {}. 

A Ae-term is canonical if it is of the form Xx^.b or {ai/xf% . . 
that is, if it is obtained by one of the introduction rules. A Ae-term is neutral 
if it is not canonical. If L' h a : A is derivable and F does not contain bindable 
variables (that is, all variables in F are unbindable variables), then a is said to 
be bindable variable free. A Ae-term is said to be an environment term if its type 
is an environment type. 
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An untyped Ae-term a' is said to be typable if we can derive F \- a : A for 
some r, a and A by using the above typing rules and a' is obtained from a by 
erasing all the types in a (that is, by replacing each declaration in a by x). 
In this case a' is called the type-free form of a. Henceforth, we will often use the 
type-free form of Ae-terms for the sake of notational simplicity. 

It is easy to see that if H h a : A is derivable, then we can completely recover 
the entire derivation tree uniquely by inspecting the typed term a^. In this case, 
we write TY(a) (type of a) for A. Note that if e = {ai/xi, . . . , Un/xn}, then 
TY(e) is {xi , . . . , Xn}- We will say that these variables are bound by e. 

We can now use TY (e) to tell if a given occurrence of a variable in a term 
is free. Consider the expression {Xx.fxy)y. There are two free occurrences of y. 
We will describe an occurrence by a term with a hole (□) in it, and we say y is 
free at (Xx.fxO)y and y is free at {Xx.fxy)0. The syntax of occurrences is: 

a,P,e ::= □ | Xx.f3 \ fla \ ba 

I {. . - 1 rii — I f Xi — i^ d f Xi^ Oi-\-i I Xi-\-i ^ . . .} 

I eH I e|al. 



The inductive definition of ‘variable is free at occurrence’ follows the syntax of 
terms. 



X is free at □ 



X is free at /3 

— — - (if x^y) 

X IS tree at Xy.p 



X is free at f3 x is free at a 
X is free at /3a x is free at ba 



X is free at a 

X is free at {. . . , ai-xj Xi-x,aj Xi, ai+i/xj+i, . . .} 



X is free at e 
X is free at £|a] 



X is free at a 
X is free at e|a] 



(if X ^ TY(e)) 



We define F\^(a) as the set of variables occurring free in a. It can be easily 
verified that if T h a : A is derivable, then T, considered as a set, is equal to 
FA^(a). In particular, a is closed, i.e., FA^(a) = 0, iff h a : A is derivable. 

We can easily define replacement of a variable in an occurrence to get a term, 
just textual replacement of the □. 

a-congruence. Let a and b be terms and x, y be bindable variables of the 
same type such that y is fresh for a (that is, y is neither free nor bound in a). 
Then we will identify Ax. a with Xy.c where c is obtained from a by replacing each 
free occurrence of x by y. Here, the a-congruence means changing the names of 
A bound variables but not those appearing in environment expressions as x in 
{a/x}. 



^ It is, in general, not possible to recover the typed form when its type-free form is 
given. Therefore, even if we write terms in type-free forms, it is only for the sake of 
simplicity, and we are in fact dealing with fully decorated typed terms. 
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We will write a : A ii A = TY(a). An example gives a typing derivation for 
the term {y/a;}|a;] = {y^ / 

y ■■ A 

y^ ^ {y/^} • x"^ \- X : A 

y^ h {y/x}\x\ : A 

By the above typing, we see that the two occurrences of x in {y/a:}[a;] are both 
bound while the only one occurrence of y in this term is free. 

The following example reveals the subtle point which is related to the fact 
that in the Ae-calculus we can pass an environment as an argument to a function. 

X \ A ^ B h y : A 
|_ hxy ■. B 

zi^^""-y^^hzlxyi-.B 
h Xz.{zlxyj)-.{x^^^,y^}^B 



3 Reduction Rules 

In this section we define a reduction relation — >Ae on Ae-terms. Then, in this and 
the following sections, we show that — >Ae enjoys the subject reduction property, 
^Ae is confluent and strongly normalizing, and the Ae-calculus is a conservative 
extension of the simply typed A/3-calculus. In this way, we can show that the 
Ae-calculus solves the problem we posed in section I. 

We first define i-^Ae as the union of the two relations m-a and where the 
relation i-^a is defined by the following single rule: 

(A) {Xx.b)a i-^A {a/x}|6], 

and the relation is defined by the following 6 conversion rules. These 6 rules 
will be called e-rules. They evaluate expressions of the form e|a]]. 

(gc) e|a]j i-^£ a, if TY(e) fl FA^(a) = 0. 

(var) {oi/xi, . . . , an/xn)lxil a* (I < i < n). 

(abs) e|Aa;.6] i-4-e Aa;.e|6], if a; ^ TY(e) UFV(e). 

(app) e|5a] e|5]e|a]. 

(env) e|{ai/a:i, . ..,an/xn}\ {e|ai]/xi, . . . , elonl/in}- 
(eval) e|/|a:]] e|/l|a;l, if x £ TY(/). 

The garbage collection rule (gc) collects e as a garbage. We can see the correctness 
of this rule intuitively, because TY (e) flFA^ (a) = 0 means that variables in F\^ (a) 
are not bound by e. The (abs) rule pushes the environment e through the Ax 
binder. Thanks to the typing information about e, we could precisely state the 
condition under which we may push the environment e through the Ax binder. 
We note that the condition x ^ TY (e) U FA^ (e) can always be met by taking a 
suitable a-congruent term. 
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We introduced the last rule (eval) to take care of the nested evaluation. It 
may seem that one needs a rule which reduces a term of the form e|/|a]J for any 
term a which may or may not be a variable. But, such a rule is not necessary, 
since if a is not a variable, then a is either of the form 5 ([&], or otherwise we can 
reduce /Ja] by one of the rules (abs), (app) or (env). If a is of the form 5 I&], then 
we can repeatedly apply this argument to /[[ 5 I&]]. So, we only need a rule that 
reduces e|/|a;]]. Now, if a; ^ TY(/), then we can convert /|a;] to x by the (gc) 
rule. In this way, we arrived at the rule (eval). Theorem 1 below shows that these 
reduction rules comprise a sufficiently rich set of reduction rules. We will discuss 
further about our choice of the reduction rules at the end of subsection 5.2. 

If 7 T G n{a) and & is a term which is of the same type as o/tt, then a.,^[b] 
stands for the term which is obtained from a by replacing its subterm ajir tt 
with b. Then the reduction relation is defined by stipulating that a a.,^[b] 
if and only if o/tt i-^ae b. We write A- for the reflexive and transitive closure of 
the relation and A for the transitive closure of 

A \e term a is said to be strongly normalizing (SN, for short) if there are no 
infinite reduction sequences starting from a. 

The following theorem shows that we have a sufficiently rich set of reduction 
rules. 

Theorem 1 (Closed Normal Term is Canonical). If c : C is closed and 
normal, then c is canonical. 

Let r and F' be contexts. Then we say that F' is a subcontext of F if each 

in F' is also in F. In other words, F' is a subcontext of F if the set consisting 
of the members of F' is a subset of the set consisting of the members of F. We 
will write F' F \i F' is a subcontext of F. 

Our reduction relation — >-Ae enjoys the subject reduction property. 

Theorem 2 (Subject Reduction). If F \- a : A and a ^ae b, then A\- b : A 
for some subcontext A of F. 

This theorem says not only that the type is preserved by reduction, but also 
that the reduction never introduces new free variables. Thus, if we start from a 
closed term, then we always get closed terms by reductions of the given term. 

We conclude this section by giving simple examples of Xe programs (i.e., 
closed Ae-terms) which show the expressivity of the language. We assume that 
we have integer type and the successor function s. 

{A/.Aa;./(/(a;))/double}| 

{double s/add2} [{double add2/add4}|add2(add4(0))J] 

1 ^-Ae 6. 

{A/.Ae.{/(e|x])/x, /(e|y])/y}/pointwise}|Ipointwise s {1/a;, 2/y}j 

Aae {2/x,3/y}. 
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4 Confluence and Conservativity 

In this section, we prove the confluence property of the Ae-calculus by combining 
Hardin’s interpretation method [5] (which is a standard method used to prove the 
confluence of calculi of explicit substitutions [1,2, 3, 7]) with Takahashi’s parallel 
reduction method [11]. 

Lemma 1. on Xe -terms is noetherian and confluent. 

A Ae-term a is said to be e-normal if a b holds for no b. By the above 
lemma, we see that for any Ae-term a there uniquely exist an e-normal term b 
such that a b. We will write e(a) for this b. e-normal terms are characterized 
by the following grammar, where u ranges over e-normal terms and v over e- 
normal terms such that x £ TY (v) and which are not canonical, that is, not of 
the form {oi/xi, . . . , On/x„}. 

u ::= X I Xx.u \ uu \ {u/x, . . .,u/x} \ i;|a;] 

We now define the parallel reduction relation => on e-normal Ae-terms as follows. 

1. X ^ X. 

2. If a => b, then Xx.a => Xx.b. 

3. If a => c and b => d, then {Xx.a)b e({d/a;}|c]). 

4. If a c and b ^ d, then ab cd. 

5. If Oi bi, then {ai/xi, . . . , Onlxn} => {bi/xi, . . . , 6„/a;„}. 

6. If e ^ /, then efxj => e(/|a;]). 

Next, with each e-normal term a, we associate an e-normal term a* as follows. 

1. X* := X. 

2. {Xx .a)* := Xx .a* . 

3. ((Ax.a)6)* := e({6*/a;}|a*]). 

4. {ab)* := a*b*, if a is not an abstraction. 

5. {oi/ii, . ,.,an/xn}* ■■= {a*/xi, . . .,a*/a;„}. 

6. (e|x])* :=e(e*|a:]). 

It is easy to see that a => a* for any e-normal term a. In this section, we work 
only in the Ae-calculus. So, we will write a ^ b {a ^ b) for a b (a b), 
respectively. We have the following key Lemmas 2-5. 

Lemma 2. If a ^ b, then a ^ b. 

Lemma 3. If e{a) => e(a') and e(e) ^ s{e'), then e(e|aj) => e(e'|a'J). 

Lemma 4. If a a' , then e(a) => e(a'). 



Lemma 5. => on e-normal Xe-terms is confluent. 



Theorem 3 (Confluence), on Xe-terms is confluent. 
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Next, we show the conservativity of Ae over the simply typed A,d-calculus, 
where by the simply typed A/3-calculus, we mean a typed calculus whose typing 
rules are (assume), (=>/) and (=>£’) and whose only reduction rule is (/3). We 
can state the conservativity theorem as follows. 

Theorem 4 (Conservativity). Let a and b be typed X(3-terms. Then a b 
if and only if a b. 

In order to prove this theorem, we define simple Ae-terms as follows. A Xe- 
term is simple^ if its type A is of the following form: 

A,B ■.■.= K \ B 

and its untyped form a can by constructed by the following grammar: 



a, b ::= x \ Xx.b \ ba \ e|a] 
e, / ::= {a/a;} | e|/] 



We note that any A/3-term is a simple Ae-term. If e|a] is a simple Ae-term, then 
we say that e is a simple environment term. 

Before we state Lemma 6 we define a syntactic translation <P which translates 
each simple Ae-term to a A/3-term as follows. We also define auxiliary translation 
functions \Fi and \p 2 at the same time. 



1. L>{x) = X. 

2. L>{Xx.b) = Xx.<L’{b). 

3. ^(6a) = L>{b)L>{a). 

4. ^(e|aj) = ^(a)[!l'i(e) := !Z' 2 (e)]. 



5. \Ti{{a/x}) = X. 

6. ^,{elfl) = Mf)- 

7. T' 2 {{a/x}) = T>{a). 

8. !l'2(e[/l) = ^2{fWi{e) := ^2{e)]. 



Lemma 6. Let a be a simple Xs-term. Lf a — >a£ b, then b is also simple and 
<L{a) \ <L{b). 

Proof of Theorem f. Only if part is trivial and if part follows from Lemma 6 by 
noting that <L> is identity on A/3-terms. □ 



5 Strong Normalizability 

In this section we prove the strong normalizability of the Ae-calculus using the 
reducibility argument. (See, e.g., [4].) So, for each type A, we define a set [A] of 
reducible terms of type A as follows. 

1. If a : A and A is atomic or the empty environment type {}, then a G [A] iff 
a is SN. 

2. If & : A B, then & G [A => B] iff &a G [B] for all a G [A]. 

3. If e : E and E is a. non-empty environment type, then e G [LI] iff e|a;"^] G [A] 
for all x^ G E. 

We can prove the following fundamental proposition as in [4] . 

Proposition 1. 

(CRl) If a G [A], then a is SN. 

(CR2) If a € [A] and a a' , then a' G [A]. 

(CR3) If a : A is neutral and a' G [A] for all a' such that a a', then a G [A]. 
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5.1 Decoration Trees and Decorated Terms 

Although we can define reducibility in a standard way, we cannot prove the SN 
of Xe in a similar way as in the case of simply typed lambda calculus. The reason 
is that while substitution is carried out by a single step (/3)-rule in the simply 
typed lambda calculus, in Xe we have to compute the substitution internally by 
moving around environments that carry information about substitution. To cope 
with this situation, we introduce the notion of a decoration tree which is useful 
in keeping track of the movements of the environments during the reduction 
steps. 

We define decoration tree {S) and its type {TY{S)) inductively as follows. 

1. If 5i, . . . , (n > 0) are decoration trees, then S = ((5i, . . . , Sn) is a decora- 
tion tree and TY (S) := TY (5i) U ■ • ■ U TY (Sn)- 

2. If (5 is a decoration tree and e is a bindable variable free environment term, 
then (e,S) is a decoration tree and TY((e, (5)) :=TY(e) UTY((5). 

Note that each leaf of a decoration tree is () or a bindable variable free 
environment term. A decoration tree is trivial if its leaves are always 0 . We will 
use S, 7 , p etc. to denote decoration trees. 

Let a and a be terms of type A and (5 be a decoration tree. We define a ternary 
relation ‘a is a decoration of a by (5’ inductively as follows. In the following 
definition, S provides the information about the positions in a which are to be 
decorated as well as which environments are used to decorate these positions. 
We will write S : a d for this relation. 

S : a 1 -^ d 

(e, (5) : a 1 -^ e|a] 0 \ x ^ x 

S : b b S' : a 1 -^ d 
(6, S') : 6a M- 6a 

Sn • ^ 

(6i , .. - ,Sn) : {ai/xi, . . .,a„/a;„} {a'l/xi, . . .,dn/xn} 

S : e 1 -^ e S' : a ^ d / ^\ 

(6, S') : e|a] e|a]j 

The rule marked by (*) may be applied only under the condition that x ^ TY (S) 
and the rule marked by (**) may be applied only when TY(e) fl TY(6') = 0. 

If 6 : c 1 -^ a holds, we will call the triple (a, c, S) a decorated term over c, and 
will simply write a for the decorated term, if c and S can be inferred from the 
context. 

It is easy to see that if 6 : c a and S : c b, then a = b. So, we will write 
S(c) for this a. It is also easy to see that for each term a, there is a unique trivial 
S such that S : a a. We will write ta for this S. 

If e = ei, . . . , Cn, then we will write (e, S) for (ei, (e 2 , • • • (e„, S) • • •)) and 
e|a] for ei|- • -Cnla] • • •]. Suppose that S : c a. Then S can be written uniquely 



S :b ^ b 



(.S) : Xx.b i-T- Xx.b 

: ai I-4- oi 



(*) 
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in the form ( 6 , 7 ) where 7 is of the form (.Si,.. .,Sn) [n > 0). In this case, we 
have a = e| 7 (c)J . 

Let (5 : c I— > c and tt £ II (c). We say that tt is internal, marginal or external in 
5 if it can be seen so by the following inductive clauses. At the same time, we also 
define S/tt which is either a decoration tree or a subterm of some environment 
term in 5. 

1 . A is internal in (5i,. . ., Sn) {n > 0) and (5i,. . ., Sn) j A\= (Si, . . ., Sn) • 

2 . A is marginal in (e, S) and (e, S) j A := (e, S) . 

3. If TT £ n{e), then Itt is external in (e. S') and (e, S) /Itt := c/tt. 

4. If TT is internal, marginal or external in S, then 27 t is internal, marginal or 

external, respectively, in (e,S) and (e, S) /2 tt := S/tt. 

5. If 7 T is internal, marginal or external in Si, then itt is internal, marginal or 

external, respectively, in ((5i, . . . , Sn) (n > I) and (5i, . . . , Sn) '.= Si/r:. 

Suppose that 5 : c 1 — > c and tt £ II (c). The occurrence of o/tt in a is said to 
be an internal, marginal or external occurrence with respect to 5 if tt is internal, 
marginal or external in S, respectively. It is easily verified that for any tt £ 7J(c), 
TT is either internal, marginal or external in S and only one of these is the case. 
This classification can be characterized as follows, tt is external if S/tt is a Ae- 
term, tt is marginal if S/ttI is external and tt is internal otherwise. 

Suppose that (5 : c 1 — > c and a is external in S. Then we can find a unique tt 
such that TT is marginal in S and ttI < cr. In this case, we say that tt is the root 
of a in S. 

Let (5 : c I— >■ c. Then, this decoration naturally induces a mapping from H (c) 
to il(c) as follows. We use S to denote this mapping. So, for each tt £ U(c) we 
define S(tI) £ U(c) inductively as follows. 

1. Wi,...,5„)(A):=yl. 

2 . (Si, . . ., Sn) (itt) := iSi{7T) {1 < i < n). 

3. (e, S) (tt) := 2S{n). 

We can easily check that the image of the mapping S : II (c) ^ H{c) is exactly 
the set of internal positions in 5. If tt = S{tt), then we write 5 “^( 7 t) for tt. 

Let S : c c, so that c is of the form e| 7 (c)]] where 7 = (5i , . . . , . Then, 

for each tt £ U(c), we define a decoration tree 5 | 7 t as follows. If tt = A, we put 
( 5 | 7 t := 7 . If TT = ia, we put ( 5 | 7 t := Si\a. We can then see that for each tt £ IT(c), 
we have ( 5 | 7 t : c/tt i-£ c/tt where tt = S{tt). We will call c/tt the image of c/tt 
under S. 

A decoration tree S is strongly normalizing (SN) if each environment term e 
in S is SN. 

5.2 Orthogonal Decorations 

In this subsection we introduce orthogonal decorations and show their funda- 
mental properties. We will say that (5 : c 1 — >■ c is orthogonal if for each marginal 
subterm eja] of c, TY(e) nFV(a) = 0 holds. Then we have the following propo- 
sition which is used in the proof of Proposition 4. 



Explicit Environments 351 



Proposition 2. If j : c c is orthogonal, 7 is SN and c € \C], then c G \C]. 

Discussions on the (eval) rule. Here, we would like to remark that the con- 
dition X G TY (/) is essential in proving Proposition 2. Now, let us consider the 
following rule; 

(eval') elflxjj e|/]|a;], if a; ^ TY(e) or a: e TY(/). 

This rule is a semantically correct and more liberal rule than our (eval) rule. So, 
we might be tempted to make our calculus more liberal by adopting the (eval') 
rule in place of the (eval) rule. However, if we do so, the calculus will not be 
strongly normalizing. In fact, we have the following counter-example to SN due 
to Bloo et. al. [3]. Let us put / := {(Xx.z)z/x} and e := {/|z]/a;} where z is an 
arbitrary unbindable variable and z and x are of the same type, say, A. Then 
we can construct an infinite rednction sequence starting from e|/]. We also note 
that both e and / are SN and (e, t/) : / M- e|/J is an orthogonal decoration 
since / is bindable variable free. Hence Proposition 2 no longer holds for the 
extended calculus. Thus we see that the condition x G TY(/) is indispensable 
in our proof of Proposition 2. 

Next, consider the rule: 

(eval") el/Hl e[/lH, if TY(e) n (FV(a) - TY(/)) = 0. 

This rule is even more liberal than the (eval') rule, and if we adopt this rule 
instead of our (eval) rule, we would still have the confluence and the conserva- 
tivity properties, but we would no longer have SN since SN fails for a less liberal 
system as we saw above. These are the reasons we have chosen the (eval) rule as 
it is now. 



5.3 Partial Orders on Decorated Terms 

In this subsection, for each term c, we define a partial order Yc on decorated 
terms over c. These partial orders play an essential role in our proof of SN. 

Let 5 : c 1 -^ c be a decoration, and suppose that it G 11(c) is such that c/tt is 
a variable. Then we define env(c, tt, 5) inductively below as a sequence of pairs 
of the form (e, cr) where e is an environment term in 6 and a G n(c). In the 
following definition, if e = (ei, cti), . . . , (e„, (T„), then ke denotes the sequence 
(ci, kci), . . . , (Cn, kCri)- 

1 . env(a;. A, ()) := d (empty sequence). 

2 . env(c, kn, (c5i, . . . , c5„)) := kem(c/k, tt, Sk) (I < k < n). 

3. env(c, tt, (e, 6)) := env(c, tt, 6), (e. A). 

If 5 : c I— > c and (e, a) is in the sequence env(c, tt, S), then we will say that the 
variable c/tt at tt in c is decorated by e at a in c and at 6(a) in c. We note that, 
here, S(a) is marginal in S and c/S(a) = e|a] for some a. If (e, a) appears before 
(e', a') in env(c, tt, 5), then we have a > a' and 5(a) > 5(a'). Hence, we see that 
env(c, TT, (5) gives a sorted sequence of environments decorating c/tt where the 
environment closest to c/tt is the first element of the sequence. 
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Here is a simple example. Let 6 = (/, ((e, Cy), tx))- For the decoration 6 : 
yx H- /Ie|t/]|a:]], we have env(ya;, 1, 5) = (e, 1), (/, A) and env(yx, 2, 5) = (/, A)_ 
Let e = (ei,(Ti), . . {em,crm) and e' = We write e < e' 

if ( 1 ) m < n and ( 2 ) for each k such that 1 < fc < m, Cfc = e'j. and ak < 
hold. Let a and b be two decorated terms such that 7 : c a and S : c 1 -^ b. 
We write a A^b if, for each occurrence of a variable x = c/tt in c, we have 
env(c, 7 T, 7 ) < env(c, tt, (5). It is easy to see that determines a partial order 
on decorated terms over c and c = (c, c, (-c) ® holds for any decorated term a 

over c. 

Proposition 3. If ci C 2 and C 2 G [C], then ci G [C]. 

5.4 Reducibility Theorem 

We say that a decoration tree 6 is reducible, if each environment term in 6 is 
reducible. In this subsection, we prove the following theorem as the final result 
of our paper. 

Theorem 5 (Reducibility). If c : C , (e, tc) : c M- e|c] and (e, tc) is reducible, 
then e|c] G [C\ . 

We note that by using an empty sequence as e in the theorem, we can con- 
clude that any Ae-term is reducible and hence SN. We have to show some more 
propositions before we can prove the reducibility theorem. 

Proposition 4. If 5 \ x^ ^ e|a;] and 6 is reducible, then e|a;] G [A\ . 

Proposition 5. If a € [H] and {a/a;}|6] G [B], then {Xx.b)a G [R]. 

Proposition 6. If ai G [Hi], . . ,,an G [An], then 

{ai/xi,...,anlxn} G [{xf\...,Xn’'}]- 

Let c be a term, tti, . . . , 7t„ G 11(c) be such that Xi = cf'Ki (1 < * < n) are 
bindable variables free at tt, in c and y\, . . . ,yn be unbindable variables such 
that, for each i (1 < i < n), Xi and yi are of the same type. Then we say that 
c' = CTri,...,TTn[yi, ■ ■ ■ ,yn] is a variant of c. If, moreover, c' is bindable variable 
free, then we say that d is a bindable variable free variant of c. Note that we 
can always find a bindable variable free variant of c for any c. 

Proposition 7. If c' is a variant of c: C , then c G [C] iff d G [C] . 

Now we can prove the reducibility theorem as follows. 

Proof. By induction on the size of the derivation of c : C. We write c for e|cj. 
We classify cases according to the last rule applied to derive c : C. We treat only 
two cases. 

1. (=>/): In this case, C = A ^ B, c = Xx.b and c = e|Aa;.5]. Here, by 
a-conversion, we may assume that x ^ TY(e). We put b := e|6J. We first 
show that Xx.b G [C]. To show this, we take an arbitrary a G [H] and we 
let a' be a bindable variable free variant of a. Then, by Proposition 7, we 
have that a' G [A]. Hence, by Proposition 6, we have 7 : 6 H- {a'/i}|6] 
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where 7 := ({a'/x}, (.e,Lb)) is reducible and bindable variable free. (Note 
that ({a/x}, (e, If,)) may not be bindable variable free since FV(a) may 
contain bindable variables. So, we consider a' in place of a.) So, by IH, we 
have {a'/x}| 6 J G [B], Hence by Proposition 5, we have {Xx.b)a' G [B], So, by 
Proposition 7, we have {\x.b)a G [B], Therefore, we have Ax . 6 G [C]. Since 
c diXx.b Ax. 6 , we have c G [C] by Proposition 3. 

2. {emE): In this case c = e|a] where e : E and a : C. We show that e|e|a]]] G 
[C]. We let e' be a variant of e such that all free occurrences of bindable 
variables in e that are not bound by e are renamed. Then, we see that e|e'J 
is bindable variable free. Now, consider the decoration: (e, be') '■ e' e|e'J. 
Since the size of the derivation oi e' : E is equal to the size of the derivation 
of e : i?, we may appeal to IH for e' . Then, we have e|e'J G [E], So, we have 
the decoration: (e, (e|e'],ta)) : a H- e|e|e']|aj], where (e, (e|e'],ta)) is 

reducible. Hence, by IH for a, we have e|e|e']|aj] G [C*]. Next, we consider 
the following two decorations. 

(e, ((e, te/), ta)) : e'|a] i-G e|e|e']|a]], 

(e, ibe',ba)) : e'|a] H-e|e'|a]]. 

From these decorations, we see that e|e'|aj] ^e'[a] e|e|e']|a]J. Hence, by 
Proposition 3, we have e|e'|aj] G [C]. Therefore, by Proposition 7 we have 
e[e|a]]] G [C]. □ 

6 Conclusion 

We have defined a notion of explicit environments which generalizes explicit 
substitutions and records, and given a calculus for it which is confluent, SN and 
conservative extension of the simply typed A/3-calculus. The calculus we have 
presented here is the first such calculus that is conservative over the simply 
typed A/3-calculus. 

We have shown how definition of free and bound variables can be achieved 
by a suitable type system. This is a form of static analysis. 

Due to lack of space, we have not been able to explain how our calculus con- 
tains records. We only note here that a canonical record [xi = oi, . . . , x„ = a„] 
may be represented by the environment {oi/xi, . . . , On/x„}, and that accessing 
to the X field of a record r may be achieved by r|xj. This representation is made 
possible owing to the fact that Ae is a system with variable names. It is there- 
fore critical that our calculus has variables with names, since we insist that an 
explicit environment must generalize both a record and a substitution. 

There are both named and nameless calculi of explicit substitutions. However, 
in the case of explicit environments, we have considered only a named calculus for 
the reason we explained above. Thus, viewed as a calculus of explicit substitution, 
Ae is a named calculus of explicit substitution. We also think it worthwhile 
to design a nameless version of Ae (although such a calculus would no longer 
contain a calculus of records but instead contain a calculus of tuples) , since such 
a calculus would become a nameless calculus of explicit substitutions that has 
substitutions as first class values. 
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It seems possible to design an untyped version of our calculus, which is con- 
servative over the untyped A,0-calculus and preserves SN. The syntax of such a 
system, however, would have to be an extension of the syntax of untyped Ae- 
terms we have given, since, otherwise, we would not be able to determine free 
variables correctly. 

Also, there are recently growing interests in the calculi of contexts. Among 
these calculi, a typed calculus of context introduced by Hashimoto and Ohori [6] 
uses type information to determine the set of free variables for a given term. We 
feel that we should be able to design a language which has both environments 
and contexts as first class values. 

Other future research directions would be to extend the calculus to a calculus 
that supports dependent types. We are also considering how to use environments 
to mimic assignment in imperative programs and hope to do further work in this 
direction. 



References 

1. Abadi, M., Cardelli, L., Curien, P.-L. and Levy, J.-J., Explicit Substitutions, pp. 
375-416, Journal of Functional Programming, 1 , 1991. 341, 347 

2. Benaissa, Z.E.A., Briand, D., Lescanne, P. and Maibaum, T.S.E., Xv, a calculus 
of explicit substitutions which preserves strong normalization pp. 699-722, Journal 
of Functional Programming, 6, 1996. 341, 347 

3. Bloo, R. and Rose, K.H., Preservation of Strong Normalization in Named 
Lambda Calculi with Explicit Substitution and Garbage Collection, Proceed- 
ings of CSN’95 (Computer Science in Netherlands), van Vliet J.C. (ed.), 1995. 
(ftp://ftp.diku.dk/diku/semantics/papers/D-246.ps) 341, 347, 351 

4. Girard, J.-Y., Lafont, Y. and Taylor, P., Proofs and Types, Cambridge University 
Press, 1989. 348, 348 

5. Hardin, T., Confluence results for the pure strong categorical combinatory logic 
CCL: A-calculi as subsystems of CCL, pp. 305-312, Theoretical Computer Science, 
46 , 1986. 347 

6. Hashimoto, M. and Ohori, A., A typed context calculus, Preprint RIMS- 
1098, Res. Inst, for Math. Sci., Kyoto Univ., 1996. Available at: http: 
//www .kurims .kyoto-u. ac . jp/~ ohori /list .html. 354 

7. Kamareddine, F. and Rfos, A., Extending a A-calculus with explicit substitution 
which preserves strong normalization into a confluent calculus on open terms, pp. 
395-420, Journal of Functional Programming, 7 , 1997. 341, 347 

8. Lampson, B. and Burstall, R., Pebble, a Kernel Language for Modules and Abstract 
Data Types, pp. 278-346, Information and Computation, 76 , 1988. 341 

9. Nishizaki, S., Simply Typed Lambda Calculus with First-Class Environments, Pub- 
lications of the Research Institute for Mathematical Sciences, Kyoto University, 
Vol. 30, No. 6, 1994. 341 

10. Nishizaki, S., ML with First-Class Environments and its Type Inference Algorithm, 
pp. 95-116, Logic, Language and Computation, Festschrift in Honor of Satoru 
Takasu, Lecture Notes in Computer Science 792, Jones, N. D., Hagiya, M. and 
Sato, M. (eds.), Springer- Verlag, 1994. 341 

11. Takahashi, M., Parallel Reductions in A-calculus, J. Symbolic Computation, 7 , pp. 
113-123, 1989. 347 



Consequences of Jacopini’s Theorem: Consistent 
Equalities and Equations 
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1 Introduction 

In this note we consider the problem of whether a combinator P can consis- 
tently (in most cases with beta conversion) be assumed to satisfy the functional 
equation Mx = Nx. Much of the literature in this area concerns easy terms 
first discovered by Jacopini. These are combinators P which can consistently be 
assumed to be solutions to the equation x = Q for any Q. Here we shall prove 
several results which might be viewed as unexpected; although given Jacopini’s 
result the unexpected should be expected in this topic in lambda calculus. 

We shall construct an identity M = N which is not a beta conversion but 
which is consistent with any consistent set of combinator equations. By a sim- 
pler construction we shall build a functional equation Mx = Nx for which there 
is no solution modulo beta conversion but such that for each consistent set S 
of combinator equations there exists a combinator P with S U {MP = NP} 
consistent. Next we consider the problem of which sets of combinators are “con- 
sistency sets” i.e., sets of the form {P : MP = NP is consistent }. Each such 
set is closed under beta conversion and pi- zero-one ( “co-Visseral” in [5]). We 
produce such a co-Visseral set which is not a consistency set, in contrast to 
the case for first order arithmetic. Finally, we consider some questions involving 
compactness. We give several examples of sets of functional equations Mx = Nx 
such that 

(*) for each finite subset there is a combinator which can be consistently assumed 
to be a solution 

but there is no single combinator which can consistently be assumed to be a 
solution of the whole set. However, we show that if the condition (*) is made 
effective then no such examples are possible. This is in contrast to the familiar 
event of the effectivization of a classical theorem being false. 



2 Preliminaries 

We adopt for the most part the notation and terminology of [1] . A combinator 
is a closed term. The following are the usual combinators 
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B 


= Xxyz. x{yz) 


C* 


= Xxy. yz 


K 


II 


K* 


= Xxy. y 


Y 


= Xx. (Xy. x(yy))(Xy. x{yy)) 


0 


= Xxy. y{xy) 


Omega 


= {Xx. xx)(Xx. xx) 



but we reserve the symbol S for sets of combinators or combinator equations. We 
take the simple expediant of identifying the natural numbers with their Curch 
numerals. In this way we avoid the quotation device of [1]. In addition, with this 
understanding, any uniform sequence of combinators can, up to beta conversion, 
be denoted PQ, PI , . . . , Pi, . . . instead of the usual subscript notation. However, 
for readability we shall write such a sequence as H[I], H[2], . . ., P[i], .... We are 
interested in functional equations 



U = V 

in a single free variable x, which by abstraction can be put in the form 

{Xx.U)x = {Xx.V)x. 

Functional equations in more than one free variable can be reduced to one by 
pairing. For example, the equation 



can be replaced by 



Mxy = Nxy 



M{zK){zK*) = N{zk){zK*) 
with solutions z = {x, y) = Aa. axy. 

Similarly, several equations can be combined into one by pairing. If S' is a set 
of combinator equations then, by the well known existence of free models ([!]), 
M = N is inconsistent with S if and only ii S U {M = N} \- K = K*. Implicit 
in Jacopini’s classic paper [3] is the following 

Theorem (Jacopini): M = N is inconsistent with S if and only if there exist 

combinators H[I], . . ., P[p] such that 

Sh K = P[1]M & P[I]Af = P[2]M & ... & P[p]N = K*. 

Another way to state this theorem is to consider the graph whose points 
consist of the congruence classes of combinators modulo provable equivalence in 
S, and whose undirected edges join points of the form PM to those of the form 
PN. Then M = N is inconsistent K and K* are connected by a path O the 
graph is connected. 

Among the congruence classes of combinators modulo equivalence in S are 
some which contain no solvable terms such as the class oi K — infinity = YK. 
We call the number of these classes the degree of S. For example, Barendregt’s 
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H* has degree 1 but the empty S (beta conversion) has infinite degree. Below, 
we shall observe that S”s of each finite degree exist. 

When it comes to functional equations Mx = Nx it is possible that the 
equation MA = NA is consistent with beta conversion for a new constant A 
but for any combinator L the equation ML = NL is inconsistent with beta 
conversion. For example, in [4] we constructed a Plotkin term P such that for 
each combinator M, PM beta converts to P but P does not beta convert to KP. 
It is easy to see, by using Mitscheke’s theorem [1] page 401, that the equation 



PA = I 

with a new constant A, is consistent with beta conversion but clearly it is not 
consistent for any combinator in place of A. It is also possible for a given com- 
binator to be a consistent solution to each of several functional equations sepa- 
rately when the entire collection cannot have a solution. For example, Omega is 
a consistent solution to a; = K* and to x = Y {K, K*). 

Definition: Suppose S' is a set of combinator equations. The functional equation 
Mx = Nx is said to be consistently solvable over S if there exists a combinator 
P such that S U{MP = NP} is consistent. Such a P is called a consistent 
solution over S. 

Remark: When S is empty we drop the phrase “over S” . 

Definition: The combinator equation M = N is said to be inevitably consistent 
if M does not beta convert to N but for any consistent set S of combinator 
equations S U {M = A^} is consistent. The functional equation Mx = Nx is said 
to be inevitably consistently solvable if there is no solution in the combinators 
modulo beta conversion but for any consistent set S of combinator equations 
there exists a combinator P such that S U {MP = NP} is consistent. 

Example: T is a consistent solution to the equations 

X = Ox and x = xO 

since Y satisfies these equations in the Bohm tree model ([!]) but there is no 
solution to these equations modulo beta conversion ( Intrigila, unpublished). 

Example (generalization): We say that M is consistently solvable if there 
exists A^[l] . . .N[n] such that MN[1] . . .N[n] = / is consistent with beta con- 
version. For each e construct a combinator P[e] such that 

{ A*. P[e](n -|- 1) if the eth Turing machine 

converges on n or 
an order zero unsolvable otherwise. 

This can be done directly or by the Visser fixed point theorem ([5]). Then P[e]0 
is consistently solvable O the eth Turing Machine is not total. 
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3 Inevitably Consistent and Consistently Solvable 
Equations 

Theorem 1: Suppose that S' is a set of combinator equations of finite degree. 
Then there exists a functional equation 

Pxyz = Qxyz 

such that for any combinator equation M = N. 

S U {M = N} is inconsistent <i=> PMNz = QMNz has a solution over S. 

Proof: Suppose that S is given of degree n. 

Consider the graph described after the statement of Jacopini’s theorem above 
and all shortest paths joining the combinator class containing K and the class 
containing K* . Now, for any of these paths, no intermediate point can contain a 
solvable combinator P. For if such a P exists it must have a distinct head normal 
form from either K or K*. W.l.o.g. assume it is distinct from K and thus there 
exist M[l] . . .M[m] such that KM[1] . . .M[m] conv. K and K*M[1] . . .M[m] 
conv. K* conv. PM[1] . . .M[m], and this contradicts the choice of path as being 
a shortest one. Thus for p = n + 3, by Jacopini 

S\- K = P[1]M & P[1]N = P[2]M & ... & P[p]N = K* 
in other words 



K = x[l]M, x[l]N = x[2]M, , x[p]N = K* 

has a solution over S. ■ 

The following corollary follows from the proof. 



Corollary: If S' is a set of combinator equations of finite degree then there exists 
a functional equation 



Pxyz = Qxyz 

such that M = N is inconsistent with some consistent extension of S O PMNz = 
QMNz is consistently solvable over S. 

Remark: For the case that S is empty the construction in the proof of Theorem 
1 does not work. This is verified in [6] . 

However, it is still the case that the theorem is true (the best proof comes 
from [4]). 

Theorem 2: There exist S of every finite degree. 

We shall present a proof of this theorem elsewhere; the theorem is not 
used below. 

Theorem 3: There exists an inevitably consistent combinator equation. 
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Proof: For the proof we need to recall a result of [5]. 

As usual, W[e] is the eth recursively enumerable set. For each RE set S of 
natural numbers there exists a combinator H such that if S satisfies 

S is not empty 

if e belongs to S then W[e] is non-empty 

if i and j both belong to S and W\i] intersect W[j\ is non-empty then 

= w[j\ 

if e belongs to S', #M belongs to W[e], and M conv. N then belongs to 
W[e] then HM conv. HN O M conv. N or there exists e in S s.t. M and N 
both belong to bF[e]. In addition, the construction of H is uniform in S i.e., 
there exists a combinator G such that if e is an RE index for S we have Ge 
conv. H. 

To apply this result consider a fixed enumeration of the finite sequences of 
combinators. We let p{i) be the number of combinators in the zth sequence and 
we let P[i,j] be the jth combinator in the zth sequence where j is between 1 
and p{i). Given combinators N and M we define two RE sets of combinators. 

1. 1], . . . , P[*,p(*)]), {K, P[i, l]iV, . . ., P[*,p(*)]iV)) : f = 0, 1, . . .} 

2. {((P[*, 1], . . . , P[t,pm, {P[h m, ■■■, P[hP{i)]M, K*)) : z = 0, 1, . . .} 

where (Al[l], . . . , Ar[n]) is the usual sequencing combinator Ax. xAT[l] . . .X[n\. 
If these two sets intersect modulo beta conversion (i.e., if their beta conversion 
closures intersect) then for some i we have 

K conv. P[i, I]M 

P[i, I] conv. P[i, 2]M 

P[i,2]N conv. P[f,3]M 



P[i^p{i)]N conv. if* 

and the equation M = N is inconsistent with beta conversion. 

Conversely, if M = iV is inconsistent with beta conversion then by Jacopini’s 
theorem the two sets intersect modulo beta conversion. Now let k be an RE 
index for the beta conversion closure of the first set and let £ be an RE index 
for the beta conversion closure of the second set. Apply the above theorem to 
S = {k,£} to obtain H. Now the constant F such that F ^{N,M) conv. FI. 
Now let 

L = Xx. ((P[l,l],...,P[l,p(l)]), (if,P[l,l]x,...,P[l,p(l)]x)) 

J = Ax. ((P[l,l],...,P[l,p(l)]), (P[l,l]x,...,P[l,p(l)]x,if*)). 

Then by the fixed point theorem [1] there exists a pair {N, M) such that 



(iV,M) conv. (P#(iV,M)(PiV),P#(iV,M)(JM)) 
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We claim that the equation M = N is inevitably consistent. 

First suppose that M conv. N. Then H{LN) conv. H{JM) and so by the 
above theorem S must fail to satisfy one of the stated conditions. This can 
only be that W[k] intersect W[(\ is non-empty and thus M = N is inconsistent 
with beta conversion. We conclude that M does not beta convert to N. Next 
suppose that S' is a consistent set of combinator equations such that M = N is 
inconsistent with S. By Jacopini’s theorem there exist P[i, 1], . . . , P[i,p{i)] such 
that 

Sh K = P[i,l]M 

Sh P[i,l]N = P[i,2]M 



S h P[i,p{i)]N = K* 
that is 

S h {{P[t, 1], . . . , P[^,p(^)]), {K, P[t, l]iV, . ..,P[i,p{^]N)) = 

{{P[i, 1], . . . , P[i,p{i)]), {P[i, 1]M, . . .,P[i,p{i)]M, K*)) and 
S h H{{P[t, 1], . . . , P[^,p(^)]), {K, P[t, l]iV, . ..,P[i,p{i)]N)) = 
H{{P[t, 1], . . . , P[*,p(*)])(P[z, 1]M, . . .P[t,p{i^]M, K*)). 

However, 

S h H{{P[1, 1], . . ., P[l,p(l)]), {K, P[l, l]iV, . . ., P[l,p(l)iV)) = 

1 ], . . .,P[i,p{i)]){K,P[i, 1]A ^, . . . , P[i,p{i)]N)) and 
S h H{{P[1, 1], . ..,P[l,p{l)]), {P[l, 1]M, P[l,p{l)]M, K*)) = 
H{{P[i, 1 ], . . .,P[i,p{i)]){P[i, 1]M, . . . , P[i,p{i)]M, K*)) thus 
S h F#{N, M) (LN) = F##(N, M) (JM) and 
Sh- M = N 



contradicting the choice of S. Thus M = N is inevitably consistent. ■ 

Remark: It can be proved from Mitschke’s theorem ([!]) that any inevitably 
consistent equation must contain a universal generator. This is indeed the case 
for our example. 

The following theorem follows from theorem 3; however, it has a simpler 
proof. 

Theorem 4: There exist inevitably consistently solvable functional equations. 

Proof: We can restate Jacopini’s theorem for the empty S as follows. M = N 
is inconsistent with beta conversion O there exists a combinator P of the form 
Xa. aP[l] . . .P[p] such that B{C* K*){PM) beta converts to B[PN){C* K). Now 
by [4] there exists a combinator R such that RP beta converts to R if and only 
if P beta converts to the form \a. aP[l] . . ■P[p] for combinators P[l], . . . , P[p]- 
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Thus the equations 

(*) Rx=R, B{C* K*){xM) = B{xN){C* K) 

have a solution modulo beta conversion if and only if M = is inconsistent with 
beta conversion. Moreover, if S' is a consistent set of combinator equations then 
(*) has a solution over S \i M = N \s inconsistent with S. Hence the equations 

(**) Rx = R, B(C* K*){x{Omega)) = B{xy){C*K), 

once the two variables are replaced by one variable through pairing, are in- 
evitable. For , since Omega is easy there is no solution to the given equa- 
tions in beta conversion alone. However, for each S there is an extension with 
a solution for either Omega is already inconsistent with each solvable term, 
or for one of them, say N, Omega = is consistent with S. In the exten- 
sion S U {Omega = A^} then Omega is inconsistent in. S U {Omega = A^} 
is inconsistent with some other solvable M by Bohm’s theorem. In addition, if 
A^(A^[I]) . . . (A^[n]) converts to I then set L = Y{Xx. xA^[I] . . . A^[n]M). Then 
Omega is inconsistent in S U {Omega = A^} with the unsolvable L. ■ 

4 Consistency Sets 

Clearly if S is RE then the set of consistent solutions to Mx = Nx is a co- 
Visseral ([5]) set. It is natural to ask if every co-Visseral set is representable in 
this manner as a “consistency set” . By [5] it suffices to consider only co-Visseral 
sets of the form {P : P does not beta convert to Q }. 

Theorem 5: Let Mx = Nx be given. Then there exists a combinator P not beta 
convertible to Omega such that either M(Omega) = V(Omega) is consistent or 
MP = NP M(Omega) = V(Omega). 

Proof: Suppose that Mx = Nx is given and M(Omega) = V(Omega) is in- 
consistent. Then M(Omega) amd V(Omega) have beta eta distinct Bohm trees 
([!]) page 504 and page 244). Without loss of generality we may assume that 
M(Omega) and V(Omega) are not separable. Thus M(Omega) and V(Omega) 
have reducts with equivalent subterms one of which is unsolvable and the other 
of which has a head normal form. Symmetrically assume that the unsolvable one 
is in a reduct of M. By the Bohm-out technique there exists a possibly open 
term X such that 

, , f no head normal form 

X(Mx) beta converts to S , rn r i 1 

[Xy[l\...y[r\. xY[l\...Y[s\ 

X{Nx) beta converts to y. 

Clearly we may assume that the second alternative for X{Mx) does not occur. 
In addition we can arrange it so that X{Mx) does not occur. In addition, we 
can arrange it so that X{Mx) has the property 
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X{Mx) either has infinite order or order zero. 

By the fixed point theorem there exists a combinator P such that P beta converts 
to {Xz. z{{\y. X{MP))z)){Xz. zz). By the standardization theorem P does not 
beta convert to Omega. However, whenever MP = NP we have P = Omega. 
This completes the proof. 

Corollary: The set {P : P does not beta convert to Omega} is not a consis- 
tency set. 



5 Finitely Consistently Solvable Sets of Equations 

Definition: If S' is a set of functional equations then S is said to be (effectively) 
finitely consistently solvable if there is a partial (recursive) function / defined 
on exactly the finite subsets of S such that if T is a finite subset of S then 

{M{f{F)) = N{f{F)) :Mx = Nx in F} 
is consistent with beta conversion. 

Remark: The effectiveness condition in the definition really has two parts 



(a) S is RE 

(b) constistent solutions can be computed for finite subsets. Next we show that 
neither of these restrictions can be relaxed. 

Theorem 6: There exists a finitely consistently solvable set which is not con- 
sistently solvable. 



Proof: We shall actually build two variations on the same example only one of 
which is RE. The RE example goes as follows, 

For each combinator M we shall use two “local” variables y and z which 
actually depend on M. For each such combinator we take the equations 

zx = K, zM = yM, yx = K* . 

Our example consists of all these equations with all the local variables replaces by 
one global variable through pairing. Clearly this set is not consistently solvable. 
However, for any finite subset corresponding to the combinators M[l], . . . , M[m] 
we can find a consistent solution as follows. Let M have a head normal form dis- 
tinct from the head normal forms of the solvable members of |M[1], . . ., M[m]j. 
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Let , N[n] be such that 



MN[l]...N[n] -^I, 



then for each of the sets 



zx = K, zM[i] = yM[i], yx = K* 
we have the solution of M for x and 

if M[i] is solvable then there exists a Bohm-out term P such that PM beta 
converts to K*a,nd PM[i] beta converts to K and put P 
for y and KK for z. 

if M[i] is unsolvable then there exists a fixed point P without head normal 
form such that P beta converts to PA^[1] . . .N[n]K*. Put 
Xx. a:A^[l] . . .N[n] for y and I for z. This works in the Bohm 
tree model where all the unsolvable are equal; in particular 
M[i\ = P. 

Clearly computing the finite consistent solution requires determining the solv- 
ability of M[i]. Computing a finite consistent solution can be simplified by pass- 
ing to a non- RE example. We keep the above equations for those terms M which 
are unsolvable and add the following for terms N in head normal form 

yN = K, yx = K*. 

It should be clear how to solve for the variables in any finite subset of these 
equations. This completes the construction. 



Theorem 7: If S' is effectively finitely consistently solvable then S is consistently 
solvable. 



Proof: Suppose that S is effectively finitely consistently solvable and the func- 
tion / is as above. For each finite subset F oi S define T{F) = {Mf{F) = 
N f{F) : Mx = Nx belongs to F}. By Visser’s theorem 3.8 ([7]) there exists a 
combinator P such that for each finite subset F oi S 

T{F) U {P = f{F)} is consistent. 

Thus by the compactness theorem the set 

{MP = NP : Mx = Nx belongs to S'} 
is consistent. This completes the proof. 
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Abstract. In this paper a strongly normalizing cut-elimination pro- 
cedure is presented for classical logic. The procedure adapts the stan- 
dard cut transformations, see for example [12]. In particular our cut- 
elimination procedure requires no special annotations on formulae. We 
design a term calculus for a variant of Kleene’s sequent calculus G3 
via the Curry-Howard correspondence and the cut-elimination steps are 
given as rewrite rules. In the strong normalization proof we adapt the 
symmetric reducibility candidates developed by Barbanera and Berardi. 



1 Introduction 



Gentzen has shown in his seminal paper [10] that all cnts can be eliminated 
from proofs in LK and LJ. Since then many Hauptsdtze (cut-elimination theo- 
rems) have appeared for various sequent calculus formulations. Most of them, 
including Gentzen’s original, provide a cut-elimination procedure which is weakly 
normalising, i.e., they employ a particular reduction strategy (for example an 
inner-most reduction strategy or the elimination of the cut with the highest 
rank). Besides these weakly normalising methods a few strongly normalising 
cut-elimination procedures have been developed; for example in [4,5,6,7,13,14]. 
However, all those methods impose some form of restriction on the reduction 
rules to ensure strong normalisation. A common restriction is to not allow a 
cut-rule to pass over another cut-rule (exceptions are [6,13]). However this lim- 
its, in the intuitionistic case, the correspondence between cut-elimination and 
beta-reduction [8,14]. Therefore in this paper we develop a strongly normalising 
cut-elimination procedure adapting the standard cut-elimination steps for logi- 
cal cuts and allowing commuting cuts to pass over other cuts. (A cut-rule is said 
to be a logical cut when both cut-formulae are introduced by axioms or logical 
inference rules; otherwise the cut is said to be a commuting cut.) Our method 
is closely related to the cut-elimination procedure developed for [6,15]. 

However we do not need their colour annotations. 

The problem of non-termination of cut-elimination occurs in both intuitionis- 
tic logic and classical logic. One example of a non-terminating reduction sequence 
in intuitionistic logic is given in [20]; for classical logic [6] and [9] give the fol- 
lowing example: 



At-A At-A 
AvAi-A, A 
AwAi-A 



Vi 

ContrR 



Ai-A Ai-A 
A, Ai-AaA 



A\-A^A 



Ay A\- A^A 



f\R 
ContrL 
Cut 



J.-Y. Girard (Ed.): TLCA’99, LNCS 1581, pp. 365-380, 1999. 
Springer-Verlag Berlin Heidelberg 1999 



366 



C. Urban and G.M. Bierman 



where a commuting cut needs to be eliminated. There are two possible reduc- 
tions: either the cut can be permuted upwards in the left proof branch or in the 
right proof branch. If one is not careful, applying these reductions in alternation 
can lead to arbitrary big normal forms and to non-termination. This is reme- 
died in [6] by devising a specific protocol for cut-elimination, which depends on 
additional information (‘colours’) attached to every cut-formula. For this cut- 
elimination procedure strong normalisation and confluence has been proved; the 
colours are used to ingeniously map every LifT*'^-proof to a corresponding proof- 
net in linear logic and every cut-elimination step to a series of reductions on 
proof- nets (strong normalisation for proof-nets has been proved in [11]). 

We shall consider a sequent calculus formulation very similar to Kleene’s G3 
[16] and G3c of [18], where the structural rules are completely implicit in the 
form of the logical rules. Another feature of our work is that we shall anno- 
tate proofs with terms and term rewrite rules will describe the cut-elimination 
steps. In our approach no additional information is required to guide the cut- 
elimination process. The rest of the paper is organised as follows: §2 contains 
various notational conventions and definitions; §3 contains a detailed proof of 
strong normalisation for the rewrite system. The proof adapts the technique 
of symmetric reducibility candidates [1]; §4 concludes and gives suggestions for 
further work. 

2 Terms, Judgements, Rewrite Rules and Substitution 

The main idea behind the cut-elimination procedure presented in this paper is 
to transport one subderivation of a commuting cut to the place(s) where the 
cut-formula is introduced. Gonsider the following proof in G3c: 



A,Bi-C,A' 
’’■i ) Ai-BdC,A' A^BdC,A 
I A'VAi-BdC,A 



Dr 

Vt 



-D,A A* 



Ai-D, AaA 



D,A A*,E 
Ah 



-A A*,Bi-A 



A, El- A aA 



Ar 5 



A, DdEi-AaA 



Dl 



AvA, DdEi-BdC, AaA 



Cut 



The cut-formula A is neither a main formula in the inference rule Vl, nor in 3^. 
Therefore the cut is a commuting cut. In tti the cut-formula is a main formula 
in the axioms marked with a bullet; in 7T2, respectively, in the axioms marked 
with a star. Eliminating the cut in the proof above means to either transport 
the derivation 7T2 to the places marked with a bullet and ‘cut it against’ the 
corresponding axioms, or to transport tti and ‘cut it against’ the axioms marked 
with a star. In both cases the derivation being transported is duplicated. 

In the remainder of this section we shall annotate proofs, via the Gurry- 
Howard correspondence, with terms and present a rewrite system for cut-elim- 
ination. The raw terms are defined in Figure I using names and co-names as 
binders. Besides the terms, which are going to be used as annotations for proofs, 
there are two other syntactic categories which play an important rle in the 
definition of substitution and in the strong normalisation proof. Let M and N 
be terms, then ix:B)M and ia:B)N are called named terms and co-named terms, 
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Raw Terms: M,N ::= Ax(x,a) 


Axiom 




1 Cut((a:B)M, (x-.B)N) 


Cut 




1 And R{(a-.B) M, (b.C)N,c) 


And-R 




Andl{(x-.B)M,y) 


And-Li 


(i=l,2) 


Or\{(a:B)M,b) 


Or-Ri 


(i=l,2) 


1 OrL{(x-.B)M,(y.C)N, z) 


Or-L 




1 \mp n{(x\B)ia\C) M , b) 


Imp-R 




1 \mp ]^{{a-.B)M,(x-.C)N,y) 


Imp-L 





Fig. 1. The grammar for the raw terms where B and C are are types; x,y, z are 
taken from a set of names and a, 6, c from a set of co-names. 



respectively. We use round brackets to signify that a name becomes bound in a 
term and angle brackets that a co-name becomes bound in a term. Analogous 
to the Church-style formation rules for the A-calculus, all binders are explicitly 
typed (types are defined as normal). However in what follows we will omit these 
typings when they are clear from the context. Given a term M, its set of free 
names is written as FN{M) and its set of free co-names is written as FC{M) 
(similarly for named and co-named terms) - their routine definitions are omitted. 
We assume that the three types of terms are equal up to a-conversion and that 
a Barendregt-style naming convention holds for names and co-names (see 2.1.13 
in [2]). Rewriting a name x to y in M is written as M{x y} (respectively 
for co-names). The routine formalisation of the rewriting operation is 

omitted. 

In the following we are only concerned with terms which can be well-typed 
by the inference system given in Figure 2. The typing judgements are of the form 
F > M > A where T is a set of name-type pairs and Z\ is a set of co-name-type 
pairs. The reader will see that this system is the term system for a variant of 
Kleene’s G3 formulation via the Curry-Howard correspondence. Our Al and Wn 
rules differ slightly from the G3 and G3c of [18]: they provide more convenience 
in the strong normalisation proof, but the original rules could be used as well 
(see Section 4). There are no primitive rules for contraction and weakening: they 
are completely implicit in the form of the logical rules. However, special care 
needs to be taken with implicit contractions. Gonsider the proof fragment: 

x:B,F> M > A,b:BDC,a:C 
F >\mpi^{{x){a)M,b)> A,b:BDC ^ (1) 

The typing rule introduces the co-name- type pair b : BdC in the conclusion. 
However it is allowed that this pair can already be present in the premise. On 
the other hand, the name-type pair x : B and the co-name-type pair a : C in the 
premise are not allowed to be in the conclusion: they become bound in the term. 

The following definition corresponds to the traditional notion of what the 
main formula of a inference rule is. 
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x:B,r ^ Ax{x, a) > A,a:B 



x-.Bi,r > M > A 



y '■ B I AB2 , r > And^^(ix) M , y) > A 
x:B,r>M>A y:C,r>N>A 
z:BvC,r> OrL{(x)M, (y)N,z) > Zi 
r>M>A,a:B x:C,F > N > A 



Dl 



r>M>A,a:B r>N>A,b:C 
r > AndR(<a)M, (b)N,c) > A,c:BaC 
r > M > A,a:Bi 

^ ^ Vj 

r > Or^((a)M,6) > A,b: BiV B 2 
x-.B,r>M>A,a-.C 



y:BDC,r> lmp^(<a>M, (x)N,y) > Zi B> \mp j^((x) (a) M,b) > A,b-.BDC 

ri>M>Zii,a:B x ■. B , B2 <> N > A2 



Dr 



Fi,r2 > Cut(<a>M, <.x)N) > Ai, A2 



Cut 



Fig. 2. The typing rules for the propositional fragment. 



Definition 1. 

A term M introduces the name z or co-name c if M is of the form: 



for z: Ax(z, c) 

And^((a;)S', z) 
OrL((a;)S', (y)T, z) 
lmp2^((a>S', (,x)T, z) 



for c: Ax(z, c) 

And/j((a>S', (h)T, c) 
04 ((a>S',c) 
lmp^((a;){a>S', c) 



Recall our example from the beginning of this section where a commuting cut 
can be permuted in two different directions. Therefore the rewrite system for our 
cut-elimination procedure is defined using two, symmetric forms of substitution, 
which are written as P[x := ia)Q] and S[b := iy)T], These substitutions are used 
when the inference rules directly above the cut do not introduce the cut-formula. 
In these cases the cuts can permute, or ‘jump’ directly to the place(s) where the 
cut-formula is introduced (i.e., is a main formula). Whenever a substitution ‘hits’ 
a term where the cut-formula is introduced the substitution ‘expands’ to a cut. 
Two examples are as follows: 



Andij((a>M, ( 6 >A^, c)[c := ix)P] = Cut({c>And/j({a>M, ( 5 >A", c), (a;)P) 

Hof 

Ax{x, a)[x := ib)Q] = Cut{ib)Q, ix)Ax{x, a)) 



In the first term the formula labelled with c is the main formula and in the 
second the formula labelled with a; is a main formula. So in both cases the 
substitution expands to a cut. In the other cases where the name or co-name 
that is substituted is not a label for the main formula, then the substitution is 
pushed into the subterms or vanishes in case of the axioms. Two examples are 
as follows (assume the substitution [it] is not of the form [z := . . .] or [a := . . .]): 

Or l{(x) M, iy) N, z)[a] = OrL{(x) M[a], iy) N[a], z) 

Ax{z, a)[cr] Ax(z, a) 



However, special care needs to be taken for axioms, because they have two main 
formulae. For technical reasons in the strong normalisation proof we need the 
following property: 
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M[x := ia)P] [b := {y)Q] = M[b := iy)Q] := ia)P] (2) 

if 6 ^ FC{ia)P) and x ^ FN{(y)Q). The nave definition outlined above does 

not satisfy this property: in case M is of the form Ax(x, b) we get two different 
terms: 



Ax{x,b)[x := ia)P][b := iy)Q] = Cut{{a)P, {x)Cut{ib)Ax{x,b), (y)Q)) 
Ax{x, b)[b := iy)Q][x := ia)P] Cut({5>Cut((a)P, ix)Ax{x, b)), (y)Q) 



Furthermore the nested cuts with an axiom as an immediate subterm could be a 
source for non-termination as noted in [6] . Therefore we use a more subtle defin- 
ition of substitution and introduce two special clauses to handle the problematic 
example above. 



Definition 2. Substitution 

Cut{ia)Ax{x,a),(y)M)[x := ib)P] 
Cut((a)M, (x)Ax(x, 6))[6 := iy)P] 
M\c := iy)P] 
M[y (c)P] 

otherwise 



Ax{x, a)[a] 
Cut(<a)M, (a;)N')[(j] 
Andi{(<a>M, ib)N, c)[cr] 
Andl{(x) M,y)[a] 
OrU(a)M,b)[a] 
0 (l{^x)M, {y)N, z)[cr] 
lmpjj((a;)(a)M, 6)[(j] 
lmp^(<a)M, (x)N , y)[(j] 



— C\it{{b)P,(x)M{y^x}) 

Hpf 

“ Q\A{{b)M{a^b},(y)P) 

Hpf 

= Cut((c)M, iy)P) if M introduces c 

Hpf 

= Cut((c)P, (y)M) if M introduces y 
Ax(x, a) 

Cut(<a) M[g\, (x) A’lc]) 

Hpf 

= Andi{(<a) <&) A'lo'], c) 

Andi((x) M[cr],j/) 

OrU(a) M[a],b) 

Hpf 

= Or l{^x) M[a],(y) N\a],z) 

H pf 

= lmpjj((x)(a) 6) 

lmp^((a) (x) A'Iit], y) 



Recall that we assumed a Barendregt-style naming condition for (co-)names. A 
substitution M[a := ix:B)N] is said to be well-formed, iff Cut({a:R>M, ix:B)N) 
is well-typed. In the following we shall consider only well-formed substitutions. 

A nave translation of the traditional, logical cut-elimination rules into our 
term calculus is, for example, as follows (Ai case): 



Cut{(c)Ar\d n{(a)M , (b)N , c), (y)Ar\d\{(x)P,y)) Cut{(a)M,(x)P) 



However, there is a problem with this reduction rule. In our sequent calculus, the 
structural rules are implicit (see the discussion of proof (1)). This makes the cal- 
culus smaller, and more importantly it provides a very convenient way to define 
substitution (no explicit contractions are required when a term is duplicated). 
Unfortunately, we have to pay a price for this in the logical cut-elimination rules. 
Consider the following instance of the redex above: 
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A 



> M t> Ai,c:BAC,a-.B Bi > N > Ai,b-.C x-.B,B2 > P > A2 

A > And Ft{(a)M, (b)N, c) > Ai, c.BAC ^ y.BAC, A ^ And\{(x)P, y) > A2 
A, A Cut{(c) And R{(a) M , (b)N, c), (y)And\{(x)P, y)) > A\, A2 



Alx 

Cut 



where c : BAG S FC{M). The nave reduction rule given above would (incor- 
rectly!) reduce this proof to the following: 

Pi > M > Ai,c'.BAC,a:B x ■. B, P2 P 0 A2 ^ 

A, A >Cut(<a)M,(x)P) >Zii,Zi2,c:BAC' 



Unfortunately c has now become free! In order to obtain a subject reduction 
property for the rewrite system we have to include in every logical reduction step 
extra substitutions (the main formula of the conclusion could potentially be in 
every subterm). These substitutions ensure that no bound (co-)name becomes 
free. In effect the logical reduction rules look slightly complicated, but that is 
the price we have to pay for the convenience of not having explicit structural 
rules. The cut-elimination procedure is defined (in its entirety) as follows: 



Definition 3. Cut-Elimination 



Logical Cuts (i = 1, 2) 

1. Cut(<&)Andi{(<ai>Mi, (a 2 )M 2 , b), (y)And}^((x)N, y)) 

>Cut((ai)Mi[b := (y)And}^((x)N, y)], (,x)N[y := <&>Andij(<ai>Mi, <a 2 >M 2 , 6)]) 

2. Cut(<&)Or)j(<a)M, b), (y)OrL{(xi)Ni, (X 2 )A^ 2 , y)) 

>'Cut(<a)M[6 := (y)Ori((a;i)A^i, (X 2 )N 2 , y)], (Xi)Ni[y := ib)0'r'ji{{a)M , 6)]) 

3. Cut(<&)lmpjj((a;)<a>M, b), (z)lmp^((c)N, (y)P, z)) 

>'Cut(<a)Cut((c>A^[z := ib)S], (x)M[b := (z)T]), iy)P[z := <6)S]) or 

>'Cut(<c>A^[z := (b)S], (.x)Cut{(a)M[b := (z)T], (y)P[z := (b)S])) 

where S = \mp j^{ix)(a) M ,b) and T = \mp j^{(c) N , (y)P, z) 

4. Cut{ia)M,(x)Ax{x,b)) >M{ah^b} if M introduces a 

5. Cut(<a)Ax(y, a), (a;)M) >M{xi-^y} if M introduces x 

Commuting Steps (otherwise) 

6. Cut(<a)M, (x)N) >M[a := ix)N] if M does not introduce a or 

>N[x := ia)M] if N does not introduce x 

There are a few subtleties in the reduction rule for the third case. Firstly, there 
are two ways to reduce a cut-rule having an implication as the cut-formula. 
Therefore we have included two reductions for this case. Secondly, special care 
needs to be taken that there is no clash between bound and free (co-)names. In 
the first reduction rule we need to ensure that a is not a free co-name in N', in 
the second rule that x is not free in P. This can always be achieved by renaming 
a and x appropriately (they are binders in lmp^((a:){a)M, 6)). We assume that 
the renaming is done implicitly in the cut-elimination procedure. 
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The main difference between our rules and the cut-elimination procedure 
defined for is the inclusion of non-determinism. Recall our example from 

the beginning of this section where a commuting cnt can move in two directions. 
Let Cut((a)M, ix)N) be the term annotation for this commuting cut where M 
and N are the corresponding term annotations for proofs tti and 7T2 , respectively. 
According to our last rule, this term can reduce to either M[a := (a;)Al] or 
N[x := ia}M]. The choice to which term it reduces is not specified (similarly 
for the reduction of the logical cut in the third case). In contrast, in LK*‘> this 
choice is completely determined by the colour annotation. In general the colonr 
annotation reduces the number of normal forms (cut-free proofs) reachable from 
a proof containing cuts (see §4 for an example). For the substitution we have 
the following lemmas: 

Lemma 1. 

(i) M[x := ia)Ax{y, a)] >~^M{xi-^y} or M[x := ia)Ax{y, a)] = M 

(ii) M[a := (x)Ax{x, b)] >~^M{ai-^b} or M[a := (a;)Ax(a;, b)] = M 

Proof. Routine induction on the structure of M. 



Lemma 2. For any arbitrary substitution [cr] 
if M >M' , then M[a\ >M'[a\ or M[a\ = 

Proof. Induction on the structure of M. One interesting case is where M[a] = 
it is as follows: 

Case M = Cut((a>Ax(y, a), (x)P): Let P introduce x, then M >M' with 

M' = P{x^y}. Let [cr] be [y := {c)Q\. We have: 

rltsf 

M[cr] = Cut({a>Ax(y, a), (*)P)[y := (c)Q\ — Cut{{c) Q , iy) P {x y}) 

M'[a] = P{xi-^y}[y := (c)Q] Cut((c>(5, iy)P{x^y}) 

3 Proof of Strong Normalisation 

We give in this section a detailed proof of strong normalisation for the reduction 
system developed in the previous section. To save space only details for the A- 
fragment are presented, but some pointers are given at the end of this section 
for the other connectives. The proof nses the notion of symmetric reducibility 
candidates from [Ij. The proof proceeds as follows: 

1. Define the sets of candidates over types using a fixed point construc- 
tion. 

2. Prove that candidates are closed under reduction. 

3. Show that a named or co-named term in a candidate implies strong 
normalisation for the corresponding term. 

4. Prove that all terms are strongly normalising. 
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The set SN denotes the set of strongly normalising terms. The candidates are 
defined only for named and co-named terms. We say that {B) is the type of 
co-named terms of the form ia:B)M; similarly (B) is the type of named terms 
of the form ix:B)M. We define: 

1. CT(^b) is the set of co-named terms of type (i?), 

2. NT(^b) is the set of named terms of type {B). 

In the following we define for every type {B) and {B) the candidates, written 
as |(il)] and |(il)]; they are subsets of CT/^b) and NT(^b), respectively. The 
definition of the candidates uses set operators for which we define the types as 
follows (where the set of all subsets of a given set S will be denoted as V{S)): 

andrighT(b^C') : V{CT^b)) x V{CT^c)) x V{NT(^baC)) ^ 'P{CT/^baC}) 

: V{NT^b,)) X V{CT^b^ab^)) ^ V{NT^b,ab^)) 
bindinG(b) : V{CT(b)) ^ V[NT(b)) 

BINDING (B) : V{NT(^b)) V{CT^b)) 
neG(b) : V{CT(^b)) 'P{NT(^b)) 

neG(b) : V{CT(^b)) 'P{NT(^b)) 

The operators are indexed on types. When defining the set operators we use the 
following two sets of named and co-named axioms: 

AXIOMS(b) = {(x:B)Ax{y,b) \ for all Ax(y, 6)} C NT(^b) 

rliof 

AXIOMS(b) = {(a:B)Ax{y,b) \ for all Ax(y, 6)} C CTi^b) 

The set operators ANDRIGHT, ANDLEFT® and binding are defined as follows: 



ANDRIGHT(baC)(^, Z) = {ic:B AC) And R{{a:B)M, ib:C)N, c) | 

V ix:BAC)P e Z. (a) M[c := ix)P] e X and ib) N[c := ix)P] £ T} 
ANDLEFT(^^^3^)(X,T) = {{y:BiAB2)Andi{ix:Bi)M,y) \ 

V {a:BiAB 2 )P G Y. (x) M[y := ia)P] G X} 

Hof 

bindinG(b)(J^) = {ix:B)M \ Wia:B)P G X. M[x := ia:B)P] G S'X} 
BINDING (B>(b") =' {ia:B)M \ ^ix:B)P G T. M[a := ix:B)P] G SN} 



The set operator NEG and the candidates |(i?)] and |(il)] are defined simulta- 
neously over types: 



NEG(b)(X) AXIOMS(b) U BINDING(b>(X) 

def 

= axiomS(cad) U binding (Cad) (X) U 
andrighT(cad)(I(C')1, [(£>)!, X) 



NEG(b)(X) AXIOMS(b) U BINDING(b)(X) 



def 



= AXIOMS(caD) U BINDING(caD)(^) U 

andleft[^^^)(|(C) 1 , F) U andleft 2^^^)(|(T>)1, F) 



{B) atomic 
{B) = {CAD) 

{B) atomic 
{B) = {CAD) 
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For the definition of the candidates we use fixed points of an increasing set 
operator. A set operator op is said to be: 

increasing, iff S C S' op{S) C op{S'), and 
decreasing, iff S C S' ^ op{S) A op(S'). 

The candidates are defined as follows: 

mi H'Xo and l{B)j neG(b) ( 1(^)1 ) 

where Xq is the least fixed point of the operator neG(b)ONEG(b).^ 

We have that binding (b) and ANDRIGHT^c^b) (be., X i-A 

ANDRIGHT(c^b)(I(C') 1; I(b?)l, Ai)) are decreasing operators. But then neG(b) 
must be a decreasing operator (similarly neG(b) must be decreasing). If both 
NEG(b) and NEG(b) are decreasing, then the operator neG(b)0 neG(b) is increas- 
ing and the least fixed point Xq exists according to Tarski’s fixed point theorem. 
For the candidates we have: 

l{B)j = neG(b)(I(S)D and l{B)j = NEG(b) (1(^)1). 

Since neg is closed under axioms we also have have: 

axiomS(b) C |(il)]] and axiomS(b) C |(il)]. (3) 

Lemma 3. 

(i) If ia:B)M £ |(B)] and M >M' then ia:B)M' £ |(.B)]. 

(ii) If (x:B)M £ |(B)] and M >M' then ix:B)M' £ {{B)]. 

Proof. We prove both cases simultaneously by induction on (B) and (B). 

Case (B) atomic: For (i) we have |(LI)] = neG(b) (|(i?)l); therefore ia:B)M £ 
AXIOMS(b) U binding (b) (|( i?)]l)- M cannot be an axiom (because axioms 

do not reduce), therefore ia:B)M £ bindinG(b) (|( i?)l) = {ia:B)S \ \/(x'.B)T 
£ I(.B)].S'[a := [x:B)T] £ SN}. For {a-.B)M we have M[a := {x:B)P] £ SN 

for all ix:B)P £ |(il)] and since M >M' we know by Lemma 2 that either 

M[a := ix)P] >M'[a := ix)P] or M[a := ix)P] = M'[a := ix)P]. In both 

cases we have M'[a := {x\B)P\ £ SN for all ix:B)P £ |(il)]. This implies 
that ia:B)M' £ bindinG(b) ([( i?)l) and hence ia:B)M' £ neG(b) ([(.B)!)- 
Therefore (a:B)M' £ |(B)]. Similarly for (ii). 

Case {B) = {CAD): ia:CAD)M is element of |(CAB)] = 

NEG(caD>([(C'AL»)1) AXIOMS(caD) U BINDING(caD>(I(C'AL>)])U 

ANDRIGHT^CADld)^)!, [(B)], l(BAC)l). ia:CAD)M ^ AXIOMS(caD), 
because axioms do not reduce. Therefore we have that ia:CAD)M £ 
ANDRIGHT(cad>(I(C')|, 1(B)], l(CAB)l) or that (a:CAD)M £ 

bindinG(cad) ([(Bab)]). In the second case we reason as in the atomic case. 
In the first case we know that ia)M is of the form 

^ In all rigour we also have to assume that the candidates are closed under a- 



conversion. 
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(c:C AD) And n{{d)S, (e>T, c) and ia)M' = {c:CAD)Andfi{{d)S', ie)T',c) where 
either S >S' and T = T' ot S = S' and T >T'. Assume the for- 

mer case (the other case being similar). We have that {d:C)S[c := ix)P] G 

KC)] for all ix:CAD)P € KCAD)]]. Since S kS' we know by Lemma 2 

that either ^[c := (a;)P] = S"[c := (a;)P] or ^[c := (a;)P] )-S"[c := (a;)P]. 

In both cases (in the second by IH) we can infer that {d)S'[c := ix)P] € 
1(C)] for all ix:CAD)P G |(CAC)|. Therefore we know that ia:CAD)M' 
must be in ANDRIGHT^cad) ([(C)]! I(-D)|, |(CAD)|) and we can conclude 
that {a:C AD)M' G |(CAD)|. Similarly for (ii). 

Lemma 4. 

(i) If (a:B)M G |(B)|, then M G SN. 

(ii) If (x:B)M G |(il)|, then M G SN. 

Proof. Simultaneous induction on the types (B) and {B). 

Case (B) atomic: Since |(H)| = neG(b)(|(H)|) we have ia:B)M G AXIOMS(b) or 
(a:B)M G bindinG(b) (|(il)l)- In the first case M is an axiom and therefore 
strongly normalising. In the second case we know that M[a := ix\B)P] G SN 
for all ix:B)P G |(il)|- By (3) we have ix:B)Ax{x, a) G |(B)] and therefore 
M[a := ix)Ax{x, a)] G SN. Furthermore we know by Lemma 2 that either 

M[a := (a;)Ax(a;, a)] = M or M[a := (a;)Ax(a;, a)] Therefore M G 

SN. Similarly for (ii). 

Case {B) = {CAD): By |(CAD)| = neG(cad) (I(C'AD)I) we have that: 

ia:CAD)M G axioms (cad) U BiNDiNG(CAn> (KCAD)]) U 
andright(cad>(I(C')|, I(L>)|, I(CAL»)|) 

If ia:CAD)M is element of the first two sets we reason 

as in the atomic case. Left to show is that M G SN if ia)M G 
ANDRiGHT(CAr>>(I(C')M(-D)|, I(CAD)I). In this case (a)M is 

of the form {c)Andfl((d>«S', (e>T, c) where {d>«S'[c := (a;)P] G |(C)| and 
(e>r[c := ix)P] G |(L1)| for all ix:CAD)P G |(CAD)|. By (3) we know that 
ix:CAD)Ax{x,c) G |(CAC)] and we have {d>«S'[c := (x)Ax(a:, c)] G 
|(C)| and (e>r[c := (x)Ax(a;,c)] G |(T))|. By IH we can infer that S[c := 
ix)Ax{x, c)] G SN and T[c := ix)Ax{x, c)] G SN. From Lemma I we can 

infer that S[c := (x)Ax{x, c)] = S' or S[c := ix)Ax{x, c)] 5-+S. In both cases 

we know that S G SN (similarly T G SN). But then Andn{{d)S,{CT,c) 
must be strongly normalising too. Similarly for (ii). 

Lemma 5. IfM,Ne SN and (a:B)M G |(B)|, (x:B)N G |(B)| 
then Cut{ia:B) M , ix:B)N) G SN . 

Proof. We assign to each term of the form Cut((a:iI>M, ix:B)N) a lexicograph- 
ically ordered induction value of the form {S,l{M),l{N)) where 6 is the degree 
of the cut-formula B\ 1{M) and 1{N) are the lengths of the maximal reduction 
sequences starting from M and N , respectively. By assumption both 1{M) and 
1{N) are finite. We prove that all terms to which Cut((a)M, ix)N) reduces are 
strongly normalising. 
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Inner Reduction: Cut((a)M, (x)N) >Cut{ia)M' , (x)N') where either M = 

M' and N >N' or M >M' and N = N'. Assume the later case (the 

other case being similar). We have to prove that Cut{ia)M' ,ix)N) £ SN. 
From ia:B)M € |(R)] we can infer by Lemmas 3 and 4 that ia:B)M' € |(R)] 
and M' £ SN. We know that the degree of the cut-formula is in both terms 
equal, but 1{M') < 1{M). Therefore we can apply the IH and infer that 
Cut((a>M', ix)N) £ SN. 

Commnting Rednction: Cut((a>M, (*)Al) >M[a := (a;)Al]. By assumption 

we have ia:B)M £ |(R)J = NEG(b) (K-B)])- We know that the commuting re- 
duction is only applicable if M does not introduce a; therefore we have that 
(a:CAD)M ^ ANDRIGHT^cad) (KG')!; I(-D)l, KCAD)]) (where B = CAD). 
That means that ia:B)M £ axioms or ia:B)M £ 

bindinG(b) (l(R)J). In the first case we have Cut{{a)M,{x)N) >M[a := 

ix)N] = M (because M is an axiom and does not introduce a); M is strongly 
normalising by assumption. 

In the second case we have that M[a := iy:B)P] £ SN for all iy:B)P £ |(R)]. 
Set iy:B)P to ix:B)N which is in |(R)] by assumption. Symmetric case is 
similar. 

Case Logical Reduction I: Cut((a>Ax(y, a), (a;)Al) >N{x i-A y}. 

By assumption we know that N £ SN. This implies that N{x i-Ay} € SN. 
Symmetric case is similar. 

Case Logical Reduction II: Cut(c)Andfl((a> S, (b) T, c), {y) 

And\^{ix) U , y) , where B = CAD. For more clarity we set (c)M = 
{c:C AD) And fi{{a)S, ib)T,c) and iy)N = {y:CAD)And\^{{x)U,y). 

Cut {(c) And n{{a)S, ib)T, c), iy)And\^{ix)U , y)) 

>Cut((a>S'[c := iy)N], {x)U[y := (c>M]). 

By assumption we know that ic:CAD)M £ |(CAD)] and iy:CAD)N £ 
KCAD)]. We have to show that Cut((a : C)«S'[c := iy)N], {x : C)U[y := 
(c)M]) £ SN. Since ic)M £ [(CAD)! = NEG(CAr>>([(C'AD)l) and (c)M ^ 
AXIOMS(c'ai 3) we know that: 

ic:CAD)M £ BINDING (CAU>(I(C' AD)]) or 
ic:CAD)M £ andrighT(cad>(I(C')|, I(D)|, I(CAD)|). 

Similarly 

(y:CAD)N £ bindinG(cad) ([(CAD)]) or 
{y.CAD)N £ andleft[^^^)(|(C')|, [(CAD)]). 

If (c:CAD)M £ BiNDiNG(CAr>>([(C'AD)|) we know that M[c := iz)P] £ SN 
for all (z:CAD)P £ [(CAD)]. By assumption (y:CAD)N £ [(CAD)] and 
therefore M[c := iy)N] = Cut((c>M, iy)N) £ SN. But then we also have 
that its reduct Cut((a>S'[c := (y)Al], := (c>M]) £ SN. Similarly for 

the case iy:CAD)N £ bindinG(cad)([[(C'AD)|). It is left to show strong 
normalisation in the case where (c : CAD)M £ANDRiGHT(CAr>)('^(C')Ar, 
J{D)K,J{CAD)K) and iy:CAD)N £ ANDLEFtJ^^^)(|(C')|, |(C'AD)|). We 
have (a) «S'[c := iy)P] £ |(C')| and (x) U[y := (c)Q\ £ KC)] for all terms 
{y:CAD)P £ [(CAD)] and ic:CAD)Q £ [(CAD)]. By assumption we know 
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that (c:CAD)M G KCAD)] and (y.CAD)N £ KCAD)]; set (c)M for ic)Q 
and {y)N for {y)P respectively. Therefore we know that (a) «S'[c := (y)N\ G 
KC)] and (x) U[y := (c)M] G KC)]. Furthermore, by Lemma 4 we have 
«S'[c := (y)N] G SN and U[y := (c)M] G SN. Because the degree of the 
cut-formula decreased we can apply the IH and infer that 



We have shown that all immediate reducts of Cut((a)M, ix)N) are strongly nor- 
malising. Consequently Cut((a)M, ix)N) must be strongly normalising. 

It is left to show that all well- typed terms are strongly normalising. To do so, 
we shall consider a special class of simultaneous substitutions, which are called 
safe. The principal property of safe substitutions [cti] and [(T 2 ] is that they can 
be commuted, i.e. M[(Ti][(T 2 ] = dL[cT 2 ][o'i]. 

Let (T be a set of substitutions of the form [a; := ia)P] and [6 := (y)Q]. 
Let us call the set of the x’s and 6’s the domain of a (written as dom{a))\ 
the set of named terms iy)Q and co-named terms {a)P is called the co-domain 
of (T (written as codom(a)). A safe simultaneous substitution (sss) is a set of 
substitutions where no variable clash between the domain and co-domain occurs 
(this can always be achieved by appropriate a-conversions, however, we omit a 
precise definition). 

The next lemma shows that a specific type of simultaneous substitutions is 
safe. 

Lemma 6. Let a be of the form: 



where the xi ’s and at ’s are distinct names and co-names, respectively. Substitu- 
tion d is a sss. 

Proof. Induction on the length of a. 



every sss a, such that FN{M) U FC{M) C dom{d) (i.e., a is a closing 
substitution^ ) and for every ix:B)P G codom{d) ix:B)P G 1(B)] and every 
ia:C)Q G codom{d) ia:C)Q G KC)], we have Md G SN. 

Proof. We proceed by induction over the structure of M. We write d, [a] for the 
set d U [cr] where [a] ^ d. 

Case Ax(x,a): We have to prove that: Ax(x,a) d,[x := ib)P],[a := (y)Q] G 
SN. By definition of substitution Ax{x,a) d,[x := ib)P],[a := iy)Q] = 
Cut{{b)P,iy)Q). By assumption ib:B)P G |(B)| and iy:B)Q G |(B)|. By 
Lemma 4 we know that P G SN and Q G SN. Therefore we can apply 
Lemma 5 and can infer that Cut((5>P, iy)Q) G SN. Therefore 
Ax{x, a)d, [x := ib)P], [a := iy)Q] G SN. 

All free names and co- names of M are amongst the domain of d. 



Cut((a>S'[c := {y)N], ix)U[y := ic)M]) G SN. 




Xi := (c)Ax{xi, c)] 




Lemma 7. For every term M (not necessarily strongly normalising) and for 
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Case Andfl((a)M, (6>Ai, c): We prove that Andn{{a)M , ib)N , c) a, 
[c := iz)R] € SN where iz\B/\C)R is an arbitrary named term in 
K-BAC)]. We can infer that Andij((a)M, {6>Ai, c) d, [c := (z)R\ = 
Cut({c)Andij((a>MiT, (b)Na,c), iz)R). By IH we know that M a, [c := (xiS”], 
[a := iy)P] S SN and N a,[c := (xiS'JJb := iv)Q] £ SN for arbitrary 
iy:B)P £ 1(B)], iv.OQ £ |(C')| and ix:BAC)S £ [(BAC)|. 

Making appropriate a-conversions we have {Ma)[c := (a;)S'][a := iy)P] £ 
SN and (Nd-)[c := (sis'] [6 := iv)Q] £ SN. By definition of binding we 
have (a:B> {Ma)[c := (xiS”] £ |(B)| and {b:C){Na)[c := (xiS”] £ KC)]. Be- 
cause ix'.BAOS is an arbitrary named term in the candidate |(BAC)] we 
have by definition of ANDRIGHT^^/^c'^ that {c:BAC>And/{({a>M(T, {b)Na, c) £ 
|(BAC)|. Furthermore we know by Lemma 4 that 

Andij((a>MiT, {b)Na,c) £ SN. 

For iz:BAC)R £ |(BAC')| we have by Lemma 4 that R £ SN. We can apply 
Lemma 5 and have Cut({c)Andij({a)Md-, ib)Na, c), (z)R) £ SN and therefore 
Andii{(a)M, ib)N, c) a, [c := iz)R] £ SN. 

Case And)^((x)M, y) {i = 1,2): We have to prove that And^((x)M, y) a, [y := 
{c)R\ £ SN where {c:BiAB 2 )B is an arbitrary co-named term in |(BiAB 2 )|. 
We have And^((a;)M, y) a,[y := (c>B] = Cut((c>B, (y)And^((a;)M(T, y)) by 
definition of substitution. By IH we know that M a, [y := (aiS”], [a; := ib)T] £ 
SN for arbitrary (a\BiAB 2 )S £ |(BiAB 2 )|, and arbitrary ib:Bi)T £ |(Bi)|. 
Making appropriate a-conversions we have {Ma)[y := (a>S'][a; := ib)T] £ 
SN. By definition of binding we have (x:Bi) {Ma)[y := (a>S'] £ |(Bi)|. 
Since (a:BiAB2>S' is an arbitrary co-named term in |(BiAB 2 )| we have by 
definition of ANDLEFT)^^^^^ that (y:BiAB 2 )And^((a;)Md', y) £ |(BiAB 2 )|. 

By Lemma 4 we can infer that And^((a;)M(T, y) £ SN. For (c:BiAB 2 )B £ 
|(BiAB 2 )| we have by Lemma 4 that R £ SN. We can apply Lemma 5 and 
have Cut((c>B, (y)And)^((a;)M(T, y)) £ SN. Therefore And)^((a;)M, y) a, [y := 
ic)R] £ SN. 

Case Cut((a)M, ix)N): 

Subcase I: M is an axiom (case N being an axiom is similar). We have to 
show that Cut((a>Ax(x, a), (y)N) [x := {b)S]^a £ SN. By definition of substi- 
tution Cut((a)Ax(x, a), (y)Ai) [x := {b)S],a = Cut({6>«S', (x) N{x^y}Sr). By 
assumption we know that ib:B)S £ |(B)|; using Lemma 4 we know that 
S £ SN. By assumption we know that N a,[x := (5>S'],[y := ib)S] £ 
SN for arbitrary ib:B)S £ |(B)|. Because a,[x := (5>S'],[y := ib)S] is a 
safe simultaneous substitution we have (making appropriate a-conversions) 
N a,[x := (5>S'],[y := ib)S] = (Ai{y i-A xjir) [x := (5>S']. By definition of 
BINDING we know that (x:B) N{yi-^x}d- £ |(B)|. By Lemma 4 we can infer 
that N{y i— >■ x}a £ SN. Then we can apply Lemma 5 and can show that 
Cut((6>iS', (x) Al{yi-Ax}iT) £ SN. Therefore Cut((a>Ax(x, a), (y)Al) d, [x := 
ib)S] £ SN. 

Subcase II: M and N are not axioms. We prove that Cut((a>M, ix)N) a £ 
SN. By IH we know that M d, [a := (.y)S] £ SN and N d, [x := ib)T] £ SN 
for arbitrary iy:B)S £ |(B)| and ib:B)T £ |(B)|. Making appropriate a- 
conversions we know that (Md)[a := (ylS”] £ SN and {Na)[x := (b)T] £ SN. 
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By definition of binding we can infer that ia:B) Ma € |(-B)] and (x\B) Na G 
1(B)]. By Lemma 4 we have that Mad SN and Na £ SN . Therefore we can 
apply Lemma 5 and infer Cut((a) Md, ix) Na) = Cut((a)M, {x)N) a £ SN. 

We can now prove our main theorem. 

Theorem 1. All well-typed terms are strongly normalising. 

Proof. We know by Lemma 7 that for arbitrary well-typed terms M and arbi- 
trary safe simultaneous substitution a, we have Ma € SN. Let a be the safe 
simultaneous substitution from Lemma 6. Using Lemma 1 we can infer that 
either Ma >~^M or Ma = M. From this we have M £ SN. 

This theorem can be extended to the full classical logic. To save space we 
give only the definitions for the set operators with implicational type: 

implefT(B3C) : U(CT(b)) X P{NT^c)) x P{CT(bdc)) P{NT^bdc)) 

impright<b3C) -PiNT^B)) X P{CT(^c)) X V{NT^bdo) P{CT(^bdc)) 

(dpf 

implefT(B 3 C)(^,U,Z) “ {(z-.BDC)\mpB{(a:B)M,(x-.C)N,z) \ 

V {c-.BZ)C)P £ Z.ia) M[z := ic)P] £ X and (x) N[z := ic)P] £ Y} 

rliof 

impright<bdc)(^,T,^) = {(b-.BDC)\mpB{^x-.B){a-.C)M,b) \ 

V (z-.BdC)P £ Z, V (c:B)S £ X.ia) M[z := (c)P][x := <c)S] £ Y and 
V (z-.BdC)P £ Z, V (y.C)T £ Y.ix) M[z := (c)P][a := (y)T] £ X} 

def 

NEG(bdC)(-’^) = AXIOMS(bdC)UBINDING(bdC)(-’^)U 
imprighT(bdc) (I(B)I, KU)], X) 



NEG(bdC)(^) = AXIOMS(bdC)U BINDING(bdC)(^) u 

implefT(bdc)(I(B)|, |(C')1,X) 

The strong normalisation proof can be easily extended using the definitions 
above. The only difficulty arises in Lemma 5 for the cut-elimination reduction 
for the connective D. The reduct of such a cut contains two nested cuts. Al- 
though the degree of the cut- formula decreases for the outer cut, the IH is not 
immediately applicable. In order to apply the induction hypothesis for the outer 
cut one has to show for the inner cut that: 

{a)Cut{ic)N[z := <fo)lmpjj((a;)<a)M, 6)], (a;)M[6 := (z)lmp^(<c)A, (y)P, z)]) £ [(U)] 
and 

(a;)Cut(<o)M[fo := (z)lmp^(<c>A, (y)P, z)], (y)P[z := <&)lmpjj((a;)<a)M, b)]) £ [(i3)| 

In the first case (the other being similar) one has to show that: 

Cut(<c)A[z := <fo)lmpjj((a;)<a)M, fo)], <.x)M[b := (z)lmp^ (<c> A, (y)P, «)]) 

[a := (i;)T] £ SN. 

To infer this it is essential to know that a is not a free name in N and P (re- 
quirement of the reduction rule which can always be achieved by renaming a 
appropriately). 
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Fig. 3. A proof in G3c and a cut-free normalform which is not reachable by a 
cut-elimination procedure using colours as in 



4 Conclusion 

In this paper we presented a reduction system for cut-elimination in classical 
logic. One feature of the reduction system is to permute a subderivation of a 
commuting cut directly to the place(s) where the cut-formula is a main formula. 
This is an idea taken from the work in [6]. However we do not require 

their colour annotations on the cut-formulae (in fact no additional information 
is required at all). One consequence is that, in general, more normal forms can 
be reached from a given proof containing cuts (see Figure 3 for an example). 
Because of the fewer constraints on our reduction system strong normalisation 
cannot be proved by translating every reduction to a series of reductions in 
proof- nets as done for The use of a term calculus for sequent derivations 

allowed us to use directly proof techniques from the A'^^'"-calculus [1] to prove 
strong normalisation. This use of syntax to study proof structures is part of a 
on-going research project [3,19]. 

The result presented in this paper can be extended to the first-order calculus 
and can be adapted to LK or free-style LK*^. There are many directions for 
further work. For example what is the precise correspondence in the intuition- 
istic case between normalisation and our strongly normalising cut-elimination 
procedure? For classical logic the correspondence between our cut-elimination 
procedure and normalisation in, for example, Parigot’s A/r [17] is another inter- 
esting question. 
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Pure Type Systems with Subtyping 

(Extended Abstract) 
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Abstract. We extend the framework of Pure Type Systems with sub- 
typing, as found in This leads to a concise description of many 
existing systems with subtyping, and also to some new interesting sys- 
tems. We develop the meta-theory for this framework, including Subject 
Reduction and Minimal Typing. 

The main problem was how to formulate the rules of the framework In 
such a way that we avoid circularities between theory about typing and 
theory about subtyping. We solve this problem by a simple but rigorous 
design decision: the subtyping rules do not depend on the typing rules. 



1 Introduction 

The Pure Type Systems {PTSs, see [Bar92]) provide a framework of type sys- 
tems, in which many particular systems, such as F, XP and the Calculus 
of Constructions can be concisely expressed and easily compared. Furthermore, 
the PTSs also include many new interesting systems. 

We introduce a framework of Pure Type Systems with Subtyping {PTS-s), 
which includes a number of PTSs extended with subtyping, e.g. A— ?►- [Car88], 
F< [CG92], [PS94], AP< [AC96] and AC< [Che97]. This framework also 

yields new systems, e.g. the Calculus of Constructions with subtyping. 

The main problem is how to define it in such a way that we can develop 
the meta-theory. The most straightforward approach seems to be the combina- 
tion of the rules of PT Ss with subtyping rules found in systems like . Some 
of these subtyping rules have typing judgments as premises. This is very awk- 
ward for the meta-theory, since results about the subtyping judgment cannot be 
proved independently of results about the typing judgments: soon one gets cir- 
cular dependencies of lemmas about subtyping and lemmas about typing. Each 
particular system with subtyping in the literature avoids or solves this problem 
by exploiting the particular nature of that system, and none of these solutions 
work also for PTS-s (see section 2.3). 

This leads us to consider a reformulation of the definition of the PTS-s, 
where we conform to the following major design decision: 

The subtyping rules do not depend on the typing rules. 

In other words, we define the subtyping relation on pseudoterms rather than 
only on well-typed terms. Now we can develop the theory for subtyping first, 
and then proceed to the typing judgment. 



J.-Y. Girard (Ed.): TLCA’99, LNCS 1581, pp. 381-396, 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 
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It turns out to be hard to prove some essential properties about the sub- 
typing judgment. We solve this by considering an equivalent reformulation of 
the subtyping rules, roughly similar to the subtyping algorithms proposed in the 
literature. A surprising element in this reformulation is a subtyping rule that 
relates terms that are per definition untypable. 

Furthermore, the proof of Uniqueness of Typing for ordinary PTSs couldn’t 
be easily extended to a proof of Minimal Typing for PTS-s. We solved this by 
proving a weak form of Minimal Typing, and by introducing another form of 
reduction. 

In section 2 we define the syntax of PTS-s, and give the typing and subtyp- 
ing rules. We also relate to subtyping systems in the literature. Section 3 gives 
the meta-theory including Subject Reduction and Minimal Typing. Section 4 
gives the conclusions. 

2 Syntax and Typing Rules 

We specify the syntax of PTS-s in section 2.1, and the typing and subtyping 
rules in section 2.2. Section 2.3 shows how many existing systems with subtyping 
can be considered as a PTS-. Section 2.4 show a number of alternatives and 
extensions for our rules. 



2.1 SyntELx 

Three constructs are new in PTS-s (compared to ordinary PTSs). We have 
bounded abstractions Xx < a : A. b, bounded quantifications IIx < a : A. B, 
and bounded declarations P,x<a : A. These constructs are important in the 
explanation of specifications of PTS-s. 

Definition 1. A specification of a PTS- is a 5-tuple {S,A,TZ,S-,Tl-), with 
the following properties: 

1. S is a set of symbols called the sorts. 

2. A C S X S, a set of axioms of the form (s : s'). 

3. TZf-SxSxS, a set o/ rules of the form (si, S 2 , S 3 ). 

4 . S- C S is a set 0 / subtyping sorts. 

5. TZ- C S- X S X S , a set of bounded rules. 

We write (si, S 2 ) for a (bounded) rule, as abbreviation for (si, S 2 , S 2 ). The first 
three elements of the tuple serve exactly the same purpose as in PTSs [Bar92]. 
The subset of sorts S- controls on which levels we can introduce subtyping. 
We can make a bounded declaration x < a : A, which declares variable a; as a 
subtype of a, if a : A and A : s and s S S-. Intuitively, in the system Xuj- 
where S- = {□}, we admit Nat < Int : =(=, since * : □ and □ S S-, and we admit 
Carl < Vehiclel : ^ since ^ □ and □ £ S-, but we do not admit 

X < true : Bool since Bool : * and * ^ S- . 
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Just as TZ controls which iJ-types (quantifications) we can form, TZ- controls 
which bounded iJ-types (bounded quantifications) we can make, and hence also 
which bounded abstractions we can make. For example, in A2 the rule (□, *) &TZ 
makes the iJ-type UX:*. X —5- X possible, and similarly, in A2- the bounded rule 
(□, *) S TZ- permits the bounded quantification 7JX< Int : >i=. X — ^ X. Typically, 
TZ- is a subset of TZ. 

Definition 2 (Pseudoterms). 

The set o/ pseudoterms T of a PTS- X{S, A,TZ, S- ,TZ~) is defined by 
T ::= V \ S \ {T T) \ {XV :T. T) \ [HV :T.T) \ 

{XV <T ■,T.T)\ {nV<T: T. T) 

where V is the set of variables. 

In a pseudoterm Xx<a : A. b the A binds occurrences of x in b, and similarly for 
n. The notions of free and bound variables are defined accordingly. As usual, 
we write A H for Ux:A. B when x ^ FV(il). 

Definition 3 (Pseudocontexts). 

The set o/ pseudocontexts C of a PTS- X{S, A,TZ, S- ,TZ~) is defined by 

— e e C 

— P,x: AGCifPGC,AGT,x£V is P -fresh and x ^ FV (A) . 

— r,x<a: AgC if PgC, a, AgT,x€V is P -fresh and x ^ FV (a) U FV (A) . 

Here e denotes the empty context, and a variable x is called T-fresh if x ^ 
{y} U FY{B) for all y:B occurring in P, and x ^ {y} U FV(&) U FV(i?) for all 
y<b:B occurring in P . 

Definition 4 (Reduction). The f3-reduction relation l>^ C T x T is 
defined by 

{Xx:A.b)a t>f}b[x\=a] 

{Xx<a' : A. b) a b[x := a] 

and all the compatibility rules. The relation »fj is the reflexive and transitive 
closure of\>jj, and =/} is the reflexive, symmetric and transitive closure of»/j. 



2.2 Typing Rules 

We have three kinds of judgments: P \- ok for P is well-formed, P \- a : A for 
term a has type A in P, and P \- A < B for A is a subtype of B in P. 

Definition 5 (Well-formedness of contexts). 



(C-empty) 

(C-var) 

Pha : 
P,x<a 



e\- ok 

PFA : s 
P, X : A \- ok 

A PF A : s seS^ 
A\- ok 



(C-Bvar) 
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By our definition of pseudocontext, x must be 7^-fresh in rules (C-var) and (C- 
Bvar). The (C-Bvar) rule formalizes that the set S- controls on which levels we 
may introduce subtyping, as explained above. E.g. if <S = {*, □}, A = {(* : □)} 
and S~ = {□} the context Jinit = Int : =i=, Nat < Int : is well-formed. 

Definition 6 (Unbounded typing rules). These rules are a slight reformu- 
lation of the rules for PTSs [Bar 92 ], except for the absence of the conversion 
rule. 



(axiom) 



(var) 



U h ofc (si : S2) & A 
U h Si : S2 

r \- ok X : A € r 
r\-x : A 



irr f \ ^ I- ^ : Si r,x: Ah B : S2 (51,52,53) £ 

^ri-iorm; 



(iJ-intro) 



(iJ-elim) 



r,x : Ah b : B Th [Hx :A.B) : s 
rh{Xx:A.b) : [Ux'.A.B) 

Thb ■. {nx:A.B) Th a ■. A 
r h b a : B[x := a] 



Definition 7 (Bounded typing rules). 



(subsum) 



(Bvar) 



Thb : B Th B' : s T h B < B' 
Thb ■. B' 

r h ok x<a : A € r 
Thx : A 



mrrr ^ ThA : Si F,x<a: Ah B : S2 (si, S2, S3) £ 

^mi-iorm; p < ^ . 



(BiJ-intro) 



r,x<a:Ahb : B T h {IIx<a : A. B) : s 
r h {Xx<a : A. b) : [Ux<a : A. B) 



(BTJ-elim) 



Thb : {nx<a:A.B) T h a’ : A T h a' < a 
r h b a' : B[x := a'\ 



The (subsum) rule is the usual rule for subtyping, with the additional premise 
r h B' : s. This is necessary to ensure B' is not an ill-behaved pseudoterm 
(recall that subtyping is possible on all pseudo-terms). This rule is similar to 
the conversion rule in ordinary PTSs. Instead of demanding B =/j B' we have 
P h B < B' . By looking ahead to the (<-conv) rule in definition 8, we see that 
(subsum) generalizes the conversion rule. 

Rules (Bvar) through (BiJ-elim) are the Bounded analogues of rules (var) 
through (7J-elim). The rule (BiJ-elim) expresses what a bounded quantification 
means; if b has type IIx < a : A. B, then it may only be applied to terms a' 
which are a subtype of a (and also have type A). 
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Definition 8 (Snbtyping rules). 



(<-conv) 



a=i3b 

r h a < 6 



(<-trans) 



r \- a < b r b < c 
r \- a < c 



(<-var) 



x<a : A € r 

r \- X < a 



r \- A’ < A r,x : A’ \- B < B' 

^ r h (Bx-.A.B) < {Bx-.A'.B') 

r,x<a: A\- B < B' 

[--Dll) B) <{Bx<a:A. B') 



r, X : A \- b < b' 
rh{Xx:A. b) < {Xx:A. b') 



(<-app) 



r h 6 < 5' 

r \- b a <b' a 



No subtyping rule depends on a typing judgment. As a consequence, < is a 
relation on pseudo-terms. The rules (<-conv), (<-trans), (<-var), (<-A) and (<- 
app) are formulated as usual. Rule {<-11) is a general formulation of the usual 
subtyping rule for ^-types. We can use this rule even if there is no interesting 
subtyping on B (or A). E.g. /jnit b Int — > * < Nat *. 

Rule ( <-B7J) is called the kernel-Fun rule, since it appears in Cardelli and 
Wegner’s original Fun calculus [CW85]. There are alternatives for this rule, but 
(<-BiJ) has the best meta-theoretical properties [CG92,Pie94,CP94]. 



2.3 Examples of PTS s 

We show how examples of systems of the A-cube [Bar92] extended with subtyping 
fit in our framework. These systems have S = {>k, □}, A = {(* : □)} and TZ 
consists only of pairs. The systems are extended with subtyping by choosing 
S- = {□}, and taking for TZ- a subset of rules (n,S 2 ) from TZ. We do not 
repeat these common properties. We also briefly discuss some approaches to the 
meta-theories, and why these approaches fail to work for PTS-s. 

The PTS- X^- is specified hy TZ = {(*,*)} and TZ- = 0. Since □ S <5^ 
we can make and use subtyping declarations. The system A^- is the standard 
extension of A^ with subtyping, e.g. defined in [Com95], and is the basis of 
[Car88]. 

The system A2- is specified hyTZ = {(=(=, *), (□, *)} and TZ- = {(□, *)}. Since 
(□, *) £ TZ-, we can make bounded quantifications. The system A2- is equal to 
kernel-Fun [CW85], except for their Top type. The subtyping rules for the Top 
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type in A2- would be: 



{<-Top) 



r[^ A ■. * 
r h A < Top 



We didn’t include Top, since this subtyping rule essentially depends on a typing 
judgment. This is incompatible with our approach, where subtyping does not 
depend on typing. The absence of Top types in PT S- s is not as bad as it seems, 
since we also have ordinary quantifications. The system F< (e.g. [CG92]) is equal 
to A2- except for a Top-type and a more liberal (<-BiJ) rule. 

The system Xw- is specified hy TZ = {(=(=, *), (□, *), (□, □)}, TZ- = {(□, *)}. 
The difference with A2- is that (□, □) G TZ, resulting in type-constructors. This 
has two effects on subtyping. First, we have bounded quantifications were the 
bound is a type-constructor. Second, we have lifted subtyping on type-construc- 
tors by rules (<-app) and (<-A). The system Aw- is equal to [PS94], except 
that T< has a family of Top-types. In [Coni95] a further extension of T< is 
given. The meta-theory is developped in three stages: first the theory about 
typing type-constructors, then about the subtyping judgment and finally about 
typing programs. This cannot be done in general for PTS-s, since typing for 
the various categories of terms is mutually dependent. In [PS94] the Minimal 
Typing property is proved using the typing algorithm, whereas we prove this 
property separately. 

The system Aw- is specified by 7?. = {(*,*),(□,*),(□,□)} and TZ~ = 
{(□,*),(□,□)}. The difference with Aw- is that we have (□, □) G TZ-. With 
this rule, we can type bounded constructor abstractions, i.e. terms like XX < 
Int X ^ X. The system Aw- corresponds with the system defined in 
[CG97]. There are two differences. First, we have no Top-types. Second, we do 
not have subtyping on these bounded abstractions, because it destroys the prop- 
erty we formulated in lemma 5. The meta-theory developed in [GG97] follows a 
quite different approach than works mentioned above and our work; by giving 
a typed operational semantics they solve the mutual dependence between the 
typing and subtyping judgments occurring in We don’t know whether this 
approach is applicable to PTS-s. 

The system AT- is specified by 7?. = {(*, =i=), (=i=, □)} and TZ- = 0. The 
rule (*, □) G TZ gives types depending on programs and corresponding type- 
constructors, for which lifted subtyping is possible. The system AT< as described 
in [AG96] is roughly the same as this PT S- , and typing on programs in both 
systems is exactly equivalent. This system is the first calculus discussed here 
with mutual dependency between programs and type-constructors. They avoid 
circularities between lemmas about typing and lemmas about subtyping by syn- 
tactically distinguishing /3-reduction on programs and on type-constructors. This 
syntactical distinction is impossible in PTS-s. Just as in [PS94] the Minimal 
Typing property is proved using the typing algorithm. 

The PTS- XC- is specified by 77. = and TZ- = {(□, =t=), (□, □)}. This is 
the Galculus of Gonstructions [GH88], the most powerful system in the A-cube, 
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extended with subtyping and bounded quantifications. It includes all systems 
given above. The system AC- hasn’t come up in the literature. 

The PTS- AC- is specified hy TZ = and TZ- = 0. This is the subsystem 
of AC- where bounded quantifications have been left out. The PTS- AC- is 
exactly the same as the system defined in [Che97]. Here, programs and type- 
constructors are also mutually dependent, but the typing judgments occurring 
in subtyping rules all have the simple form P A : s. Using this in combination 
with the specific rules TZ of AC- , enough meta-theory for typing can be proved 
before subtyping is examined. This method does not work for PTS-s, since 
terms involved in the subtype relation are not always typable with a sort. 



2.4 Alternatives for Rules 

In this section we discuss two alternatives for our rules, and why we have rejected 
these alternatives. Some other alternatives were given in section 2.3. 

The (<-A) rule can be generalized, so that P \- A' < A and P, x : A' \- B < B' 
imply P \- Xx : A. B < Xx : A' . B' . We have chosen for (<-A) because it is simpler 
and the generalization does not have any effect in most PTS-s. 

We first considered a more constrained version of the (subsum) rule: 

, , „ Phb : B P\- B' : s P \- s : s' s' £ P h B < B' 

(subsum ) J-, |_ ^ ; ^7 

We did so, because we believed the meta-theory would be easier because of the 
additional constraints on s. It turned out, however, that the meta-theory was 
more difficult, so we rejected this rule. 



3 Meta-theory 

In this section we develop the meta-theory for PTS-s. First we establish a 
number of properties of the subtyping judgment (section 3.1). We are able to 
do so, because subtyping does not depend on typing. Using these properties, we 
prove that the Subject Reduction property holds for all PTS-s (section 3.2). 
In functional PTSs (without subtyping), we have that every term has a unique 
type (modulo /3-conversion). Subtyping destroys this property, but every term 
has a so-called minimal type. Section 3.3 shows this for functional PTS-s. First, 
we mention the Church-Rosser property for ,d-reduction. 

Theorem 1. If a =j 3 b then there is a c with a »fs c and b »/s c. 



3.1 Properties of Subtyping 

Unfortunately, the subtyping rules given in definition 8 are quite intractable; it 
is hard to prove properties about them. They are so intractable, because there 
is a lot of redundancy in the subtyping rules; there can be several quite different 
derivations of the same subtyping judgment. Therefore we introduce a set of 
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more restricted rules, equivalent to the set in definition 8, but with only a little 
redundancy. This set of restricted rules behaves much better, and in particular 
has the following crucial property: a subtype derivation using the restricted 
rules does not introduce untypable terms. To be more precise, if the terms in the 
conclusion of such a subtyping judgment are typable, then all terms occurring in 
the derivation of this judgment are typable. We will only be able to show this at 
the end of section 3.2, in lemma 6. The original rules do not have this property. 

Two rules are responsible for the intractibility of the set of original rules, 
namely (<-trans) and (<-app). We discuss for both rules which problems they 
cause, and which restricted rules (in definition 10) below replace them. 

The ( -trans) rule. As in most systems with subtyping, this rule is the most 
responsible for the intractibility of the original subtyping rules, and we have a 
similar solution. Recall that (<-trans) allows deriving F \- a < c from F \- a <h 
and T h 6 < c. 

It can be used at any moment in a derivation, since there are no restrictions 
on the form of the conclusions a and c. Even worse, the term b in the premises 
cannot be determined from a and c, and even when a and c are typable terms, b 
can be a non-typable term. It is essential in two situations. First, using (<-trans) 
and (<-conv) we can derive F \- a < b from F \- a' < b' whenever a l»^ a' and 
b b' . This use of the (<-trans) rule is taken over by the more direct (<-red) 
rule (in definition 10). As a side-effect, the (<-conv) rule can be simplified to 
(<-refl). 

Second, the (<-trans) rule is necessary when the term a is a variable x, and c 
is not convertible to a. This use of transitivity is taken over by the (<-transvar) 
rule. 

In all other cases, the (<-trans) rule is not essential, because it can be 
“pushed” upwards through the derivation, ending only in one of the situa- 
tions sketched above. This property, sometimes called “Transitivity Elimination” 
[Coni95,Che97], is formally proved in lemma 4. 

The ( -app) rule. Another source of intractability is the (<-app) rule, which 
says that F \- b a <b' a\s derivable from T h 6 < 6'. It is not apparent that this 
rule gives problems, but consider the case when b is an abstraction: instead of 
using (<-app), we could also reduce b a using the (<-trans) and (<-conv) rules 
(in the same way as above), and proceed from there. If a judgment of this form 
holds, it can always be derived without (<-app). So for this kind of judgments, 
we do not need the (<-app) rule, and we would like to remove it, to have less 
redundancy. 

However, it is essential in two situations: First, if term b (in judgment b a < 
b' a) is a variable. This is catered for by the (<-transvar) rule given in defini- 
tion 10, where (<-app) is combined with (<-trans) and (<-var). Second, if the 
term 6 is a (bounded or unbounded) JT-type. For example we can derive with 
(<-app) that Tinit,B::(= h {F[x:B. Nat) B < {F[x:B. Int) B. The reader might re- 
ject this situation by saying that 6 a is never typable if 6 is a JJ-type. This is 
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true, however subtyping is defined on pseudo-terms, rather than (typable) terms, 
so we cannot ignore this situation here. This is a consequence of the decision 
that the subtyping rules do not depend on typing judgments. 

This situation is catered for by the (<-iJapp) rule below. In the end, when 
we have shown Subject Reduction, we will see we do not need (<-iJapp) rule 
after all (lemma 6). This seems to be a contradiction with the statement that (<- 
app) is essential in this situation. But it is not a contradiction: for pseudoterms 
the (<-iJapp) rule is essential, and for typable terms it is redundant. In other 
words, the rule is needed only as a catalyst, in order to prove the meta-theory 
for subtyping as smooth as possible. 

In other situations, the (<-app) rule is not essential, which is proved in 
lemma 3. 

Definition 9. A term a is a Il-type if a = IIx:B. C or a = IIx<b : B. C for 
some b, B and C . 



Definition 10 (Subtyping rules). 



(<-refi) 



(<-red) 



rhb<b 

a \»p a' b \»p h' B \- a' <h' 
r h a < 6 



(<-transvar) 



x<a : A G r r \- a Cl C 2 ■■■ Cn < b n 0 
r \- X Cl C2 ... Cn < b 



(<-iJapp) 



r \- a < b a is a 77-type 6 is a 77-type n 1 

7^ h a Cl C2 . . . Cn < 6 Cl C2 . . . Cn 



i<-n) 

(<-B77) 



r\- A' < A r,x: A' \- B < B' 
r h (77i -.A.B)^ (77a: : A'. B') 

r,x<a : A \- B < B' 
r h {Bx<a : A. B) < {Bx<a : A. B') 



r,x:A^b<b' 

r h {Xx:A. b) < {Xx-.A.b') 



Convention. Prom this point onwards, we will always use the subtyp- 
ing rules of definition 10. We will refer to the original, liberal rules (defini- 
tion 8) using 7^ hi a < 6. Note that the typing rules use the liberal rules. 

Most other works [PS94,AC96,CG97,Che97] also have a set of alternative 
typing rules, roughly similar to ours, i.e. with (<-app) and (<-trans) replaced 
by (<-transvar). There are two important differences. First, none of the sets of 
alternative rules in the literature have the rule (<-77 app). Second, the alternative 
rules differ considerably in the approach of reduction in subtyping judgments 
(our rule (<-red)). 
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In the rest of this section we show some properties of the new subtyping 
rules, including some Generation properties, equivalence with the liberal rules, 
and the Substitution lemmas. But first we show that subtyping is closed under 
/3-conversion, i.e. /3-converting a term in a subtyping judgment keeps it derivable 
(theorem 2). Even the number of interesting steps — i.e. not (<-red) — in the 
derivation for this judgment stays the same. 

Convention. We use the letter T as meta-variable for derivation trees, because 
it resembles a willow. 



Definition 11. The NR-height of a subtyping derivation T, written as NR- 
height{T), is the height ofT, not counting applications of the (<-red) rule. NR 
stands for “Not counting Reductions” . We write T < T' as shorthand for NR- 
heightiT) < NR-height{T') , and similarly for <. 



Definition 12. l>^, »f 3 and =p are extended to contexts in the usual way. 

Theorem 2 (<-Conversion-closed). Suppose F =p F' and a =fj a' and b =p 
b' . IfT derives F \- a <b then there is a T' < T such that T' derives F' \- a' <b' . 

This property is very important, since it allows us to convert terms in a subtyping 
judgment without increasing the NR-height. This makes the NR-height a very 
useful induction measure. An example of use of this lemma is in the proof of 
lemma 4. 

Now we prove Generation properties for subtyping. We mention only 

Lemma 1 (<-Generation). 

1 . If F \- Fix : A\. B\ < Fix : A2. B2 then F \- A2 < A\ and F,x:A2\~Bi < B2. 

2 . If F \- [Fix < ai : Ai. Bi) < [Fix <02 : A2. B2) then a\ =p 02 and Ai A2 
and F, x <ai : Ai \- Bi < B2. 

One of the reasons for introducing the restricted subtyping rules is that gen- 
eration properties like these are very hard to prove for the original subtyping 
rules. 

The first Substitution property for subtyping allows us to replace an un- 
bounded variable y with any term c. Note that c does not have to be typable. 



Lemma 2 (<-Substitution). If F,y : C, F' \- a < b and F,F'[y:=c] is a 
pseudocontext then F, F'[y := c] h a[y := c] < b[y := c]. 

The other part of the Substitution property — replacing a bounded variable — 
is proved at the end of this section. We use the <-Substitution property just 
given for showing admissibility of the (<-app) rule. 

Lemma 3 (App-admissible). IfF \- a < b then F \- a c < b c. 
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Proof. By induction on the NR-height of the derivation, and by case distinction 
to the last derivation rule other than (<-red). □ 

Note that this property depends essentialy on the (<-iJapp) rule; for an example 
see the discussion about the (<-app) rule at the start of this section. 

Lemma 4 (Trans-admissible). If P \- a < b and P \~ b < c then P \- a < c. 

Proof. By induction on the sum of the NR-heights of the derivations. Consider 
in each derivation the last rule other than (<-red). So we have al»^ a', 6|»^ b' , 
P \- a' <b' , b \»f} b" , c »(} c! and R h 6" < c', where the last rule in both 
derivation is not (<-red). Now we make a case distinction to the last rule used for 
deriving P 'r a' <b' . Cases (<-refl) and (<-transvar) are straightforward, using 
theorem 2 (and the IH for (<-transvar)). For the other cases, we make case 
distinction to the last rule used for deriving P \- b” < c' . Since b' =fj 6", it is 
easy to see this derivation uses either (<-refl), then we are done by theorem 2), 
or the same rule as for P \- a' < b' , then we finish the proof using theorem 2 and 
the IH. □ 

Now all liberal rules (definition 8) have been shown to be admissible, so 
every sub typing judgment derivable with the liberal rules is also derivable with 
the restricted rules. 

Theorem 3 (Equivalence). P \~i a < b P \- a < b. 

Proof. Soundness (<^=) is easy. Completeness (=>) follows from the admissibil- 
ity lemmas 3 and 4; admissibility of (<-conv) and (<-var) is simple. □ 

Soundness only holds because the liberal rules do not have typing judgments as 
premise. The equivalence allows replacing each premise of the form P \-\ a < b 
in typing rules by the premise P \- a < b without changing the set of derivable 
typing judgments, so we can use properties like lemma 1 when proving properties 
about the typing judgment. 

Using the admissibility of (<-trans) and (<-app), we prove the other Substi- 
tution property. 

Lemma 5 (<-Substitution). If P \- c < c' and r,y<c':C,P'\-a<b and 
r, r'[y := c] is a pseudocontext then P, P'[y := c] h a[y := c] < b[y := c]. 

The <-Substitution properties are essential to prove Subject Reduction, via the 
Substitution properties for typing. 



3.2 Subject Reduction 

The proof of Subject Reduction goes along the same lines as in ordinary PTSs, 
and is longer but not more complicated. We first have to prove the usual Sub- 
stitution properties, using <-Substitution, then prove the Generation and Cor- 
rectness of Types lemmas and then proceed to Subject Reduction. 
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Theorem 4 (Subject Reduction). If F \- a : A and a l>^ 6 then F \- h : A. 

Proof. By strengthening the IH as usual, and by induction on the derivation. 
All cases go straightforward by IH, except in the first clauses, when a is a redex. 
These cases are proved in a similar way as in [Bar92], now using lemma 1. □ 

Subject Reduction has an important consequence on subtyping derivations: the 
subtyping rules do not introduce untypable terms. In other words, if the terms 
in the conclusion are typable, then all terms in the derivation are typable. 

Lemma 6. Suppose T derives F \- a < b, and F \- a : A and F \- b : B hold. 
Then for all subderivations T' of T, where T' shows F' \- c < d for some c and 
d, there are C, D such that F' \- c : C and F' \- d : D. 

This lemma has the following consequence. The (<-JTapp) rule is not used in 
subtyping derivations with typable terms in the conclusion. This follows from 
the fact that the conclusion of the (<-JTapp) rule contains two terms that are 
never typable, since the terms consist of an application of a JJ-type to one or 
more arguments. 



3.3 Minimal Typing 

For ordinary functional PTSs, we have Uniqueness of Typing, which says that 
a term has only one type, modulo /3-conversion. We do not have unique types 
in PTS-s, since by the subsumption rule a term can have different types. We 
will show that we do have a weaker property. Minimal Typing. This means that 
every typable term has a minimal type. 

Definition 13. Term a has minimal type A in F , notated as F \jn a : A, if 
F \- a : A and for all B F \- a : B => F \- A < B. 

Minimal Typing is important for type-checking, since the problem “does term a 
have type B" can then be split into the simpler problems “compute a minimal 
type A for a” and “is A a subtype of B” . 

Minimal Typing holds only for functional PTS-s: 

Definition 14. A PTS- X{S,A,TZ,S-,TZ-) is functional if 

(s : s') G A and (s : s") £ A => s' = s" 

(si, S2, S3) G TZ and (si, S2, S3) G TZ => S3 = S3 
(si, S2, S3) G 7 ?.- and (si, S2, S3) G 7 ?.- => S3 = S3 

However, Minimal Typing is not easily proved. A direct proof by induction 
on the structure of the term (say a) fails, because of two problems. 

First, we sometimes need the induction hypothesis for a type of a, instead 
of a subterm. We solve this problem by first proving a property called Weak 
Minimal Typing (lemma 8), which is strong enough to replace the IH for the 
type of a. 
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Second, if a is an application b c, we get by the IH a minimal type B of b. 
But we are not interested in B itself, but in B', the least supertype of B that is 
a iJ-type; only from B' we can calculate a minimal type of the application b c. 
We obtain this B' by introducing a new kind of reduction l>wh/3cr (weak head f 3 
a), which reduces B to B'. 

Convention. In this section we consider only functional PTS-s. 

First we show the Weak Minimal Typing property that says that common 
types of a term have a (common) lower bound, and then we define l>wh/3cr re- 
duction. 

Definition 15. Terms a and b have a lower bound in B, B \- aUb, if there is 
a c such that T h c < a and B \- c < b. 

Lemma 7. 

— If B \- si Li S2 then si = S2- 

— If B \- {IIx '.Ai.Bi) U {IIx : A2. B2) then B,x:Ai \- Bi U i?2- 

— If B \- {IIx <ai : Ai. Bi)\J {IIx < 02 : ^2- B2) then B,x<ai : Ai \- BiLi B2. 

— Not B h {IIx :Ai. Bi) U {IIx <02 : A2. i?2)- 

— If B \- A Li s then B A < s. 

Lemma 8 (Weak Minimal Typing). 

If B \- a : A and B \- a : B then B \- ALi B. 

Broof. By induction on the structure of a. Apply the Generation lemma to 
B \- a : A and T h a : B. For some cases, we need lemmas 7, 4, 2 and 5. □ 

Note that if we read “=/3” for “<”, then “U” is equal to “=/?”, and we have 

the Uniqueness of Types property. Using Weak Minimal Typing, we prove the 
following lemma that relates the types of two terms that are in the subtype 
relation. We need also this lemma in the proof of Minimal Typing. 

Lemma 9. If B \- a <b and B \- a : A and B \- b : B then B \- AU B . 

Broof. By induction on the subtyping derivation, using lemmas 7 and 6, and 
Weak Minimal Typing. □ 

We define l>wh/3cr reduction as the union of l>wh/3 and l>whcr, where l>wh/3 is 
the usual weak head restriction of l>^, and l>whcr reduces a term x bi .. .bn to 
cbi .. .bn if c is the bound of x. This reduction is the weak head restriction of 
the so-called U-reduction found in [PS94,Che97,CG97]. 

Definition 16. The relation _ h _ \>whi3(7 - defined as follows: 

B h {Xx :A.b) a l>wh/3a b[x := a] 

B h {Xx<a' : A. b) a l>whi3(T b[x := a] 
x<a : A € B => B \- x >wh/ 3 <j a 
B \~ a t> yjhQcr a y B \~ a b whfScr a b 

B h -»whj3a - is the reflexive and transitive closure of B \- _ t>whf}a -■ 
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Lemma 10. 

— If r \- A < s then F \- A \»whf 3 a s. 

— If r \- A < {Fix : B. C) then F \- A \»whi3a {Fix : B' . C) and 
F^ [nx-.B'.C) < {Bx-.B. C). 

— If F \- A < {Fix <b: B. C) then F \- A \»whi 3 a {Bx <b' : B' . C) and 
F h {Bx<b' : B'. C) < {nx<b:B. C). 

Theorem 5 (Minimal Typing for functional PTS-s). 

If a is typable in F, there is a type M with F \jn a : M. 

Proof. By induction on the structure of a. Use the Generation lemma. For every 
case we have two parts. First, find an M such that F \- a : M. Second, show 
that this M is minimal. We sketch the proof of two cases. 

If a = 6 c then F \- b : Fix -.C . D or F \- b : Fix <c' : C. D. Assume we are 
in the first case, and F \- c : C. By IH U 6 : Mi, so U h Mi < IIx'.C.D. 
By lemma 10 F h Mi l»wh/3cr Fix : C . D' and F h Fix : C . D' < Fix :C.D. A 
minimal type of a is now D'[x := c]. 

If a = Aa; : C. d then F,x:C \~ d : D and F h Fix :C.D : S3, which gives 
Fh C : Si and F, X : G h F : S2. By IH F, x : G U d : Mi, so F, x : G h Mi < F>. 
By Correctness of Types F, x : G h Mi : s' 2 , and by lemma 9 F, x : G h S2 U S2 
and hence by lemma 7 S2 = s^. So Fh7Jx:G. Mi : S3 and we can derive 
F h a : Fix : C. Mi . It is easy to show that this type is minimal. □ 

Finally, each PTS can be seen as a PTS- with S- and TZ- empty. 

Theorem 6. Take the PTS P with specification {S,A,TZ) and the PTS- S 
with specification {S, A, TZ, 0, 0). Then F \-p a : A 4=^ F a : A. 

4 Conclusions 

In this paper we defined the framework of Pure Type Systems with Subtyping, 
an extension of the PTSs with subtyping, bounded quantification and lifted 
subtyping. We do not have subtyping on sorts (e.g. as in [Luo89]), or coercive 
subtyping, which means that subtyping between existing types can be defined 
with coercions [Bar96]. Many existing type systems with subtyping can be seen 
as members of our framework, viz. A^-, F<, F<, AF< and the calculus 
of [Che97]. Other members, like AG-, are new systems which have promising 
features, both applicable in programming languages and in theorem proving. 

We developed the meta-theory for PTS-s, including Subject Reduction and 
Minimal Typing. In order to prove these properties, we adopted the design de- 
cision that the subtyping rules do not depend on the typing rules. This allows 
us to develop the meta-theory for the subtyping judgment before the theory of 
the typing judgment. However, this decision alone was not sufficient: we had to 
give a reformulation of the subtyping rules (definition 10), that behaved better. 
In particular, the reformulated rules do not introduce untypable terms: if the 
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terms in the conclusion are typable, so are all terms in the premises of the rule 
(lemma 6). This property is important in our proof of Minimal Typing. 

The decision has two drawbacks. First, < is defined for all pseudoterms in- 
stead of only for (typable) terms. Similarly, the meta-theory for the subtyping 
judgment is done for pseudoterms. This forced us to introduce a weird rule, 
(<-iJapp), to have equivalence between the original rules and the reformulated 
rules on pseudoterms. This rule is weird, since it only relates untypable terms, 
but we showed in lemma 6 that (<-7Japp) is never used in sensible subtyping 
derivations. Second, the design decision makes it hard to extend the PTS-s 
with some features, like Top-types or subtyping on bounded operator abstrac- 
tions (section 2.3). For many systems, these extensions make little sense and this 
drawback has no effect. 

A type-checking algorithm and decidability of typing for a range of PT S- s 
is beyond the scope of this paper, but will appear elsewhere [Zwa99] . 
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K. Fujita 162 

H. Goguen 177 

M. Hasegawa 198 

F. Henglein 6 



F. Honsell 114 

O. Laurent 213 

P. B. Levy 228 

S. Mikami 243 

G. Mossin 6 

H. Niss 6 

P. W. O’Hearn 258 

A. Ohori 280 

M. Pedicini 25 

F. Pfenning 295 

J. Polakow 295 

E. Poll 310 

E. Ritter 325 

T. Sakurai 340 

M. Sato 340 

A. Setzer 129 

A. Simpson 147 

M. H. Sorensen 6 

R. Statman 355 

M. Tofte 6 

G. Urban 365 

J. Zwanenburg 310,381 




